Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Bug Hunter Hacks Facebook, Finds Someone Else's Backdoor Script
[Image: bug-hunter-hacks-facebook-finds-someone-...3279-2.jpg]
While trying to find bugs in Facebook's services, a security researcher accidentally stumbled over a hacker's backdoor script that was logging Facebook employee credentials for some of the company's backend applications.

Orange Tsai, a consultant for DevCore, also spends a lot of his free time helping big name companies fix vulnerabilities via their bug bounty programs. At the end of February, Tsai decided to give Facebook's bug bounty program another try and started mapping some of the company's backend services for possible servers he might hack.
"Researcher hacks Facebook's internal file sharing application"

His search led him to the domain, which is an online file transfer and file hosting service, running on Accellion’s Secure File Transfer (FTA) application.

After identifying the application's type and version, the researcher went to work and explored its source code, discovering in three cross-site scripting (XSS) flaws, two local privilege escalation issues, a known-secret-key issue that led to remote code execution, and a pre-auth SQL injection that also led to remote code execution.

The researcher used the SQL injection flaw he discovered in the FTA application to access Facebook's server and was rewarded with complete control over the machine.

With his goal reached, the researcher then started collecting the necessary information to submit a bug report to Facebook's staff. While looking at one of the server's logs, Tsai discovered a lot of suspicious error messages.
"Somebody already hacked the server and not part of the bug bounty program"

He tracked these messages down to a webshell, which he was sure, and quite obvious, that no Facebook employee ever uploaded. Inspecting the webshell's source code, Tsai found evidence of a server-side keylogger which was intercepting login operations and storing Facebook employee access credentials in a local log file.

The researcher then looked at other log files that showed how the hacker came back at various intervals to collect the logged data, map the local network, and attempt to steal SSL private keys.

Details revealed two separate periods when the hacker was active, one in July 2015, and then one in mid-September 2015.

Tsai filed a bug report with Facebook about the incident, who started an in-house forensics investigation, and rewarded the researcher with $10,000 (€8,850) for his efforts.

UPDATE: In a statement on Hacker News, Facebook's Reginaldo Silva said the webshell discovered on its servers was left there by another bug hunter, also enrolled in the company's bug bounty program.
[Image: bug-hunter-hacks-facebook-finds-someone-...3279-3.jpg]

Possibly Related Threads…
Thread Author Replies Views Last Post
  New SideWalk Backdoor Targeting U.S. Computer Retailers mrtrout 0 323 08-27-2021 , 01:22 AM
Last Post: mrtrout
  Researchers Warn of Facefish Backdoor Spreading Linux Rootkits mrtrout 0 443 05-28-2021 , 10:58 PM
Last Post: mrtrout
  Bizarro Banking Trojan Sports Sophisticated Backdoor Bjyda 0 426 05-23-2021 , 09:22 PM
Last Post: Bjyda
  Despite Hacks, US Not Seeking Widened Domestic Surveillance Bjyda 0 581 03-15-2021 , 10:22 PM
Last Post: Bjyda
  FireEye finds new malware likely linked to SolarWinds hackers Bjyda 0 815 03-04-2021 , 07:15 PM
Last Post: Bjyda

Forum Jump:

Users browsing this thread: 1 Guest(s)