Taiwanese researcher finds evidence of an earlier data breach whilst participating in Facebook’s bug bounty programme
A security researcher participating in a Facebook bug bounty programme said that after penetrating the security of a server belonging to the social network he found evidence that at least one other hacker had already been there, and had harvested hundreds of login credentials from Facebook employees.
Orange Tsai, of Taiwanese computer security firm Digicore, said he tested a server located at files.fb.com, which hosted a file transfer application made by enterprise software maker Accellion and appeared to be used by Facebook employees for file sharing.
After finding a number of vulnerabilities in the Accellion software, he gained entry to the server – but when he examined the server logs, he found errors indicating someone else had already gained access.
What’s more, the earlier visitors had installed a PHP-based backdoor that allowed them to execute shell commands, and had taken control of the Accellion software’s authentication process, recording the credentials of those using it.
“At the time I discovered these, there were around 300 logged credentials dated between February 1st to 7th, mostly ‘@fb.com’ and ‘@facebook.com’,” Tsai said in an advisory. “Upon seeing it I thought it’s a pretty serious security incident.”
The software allowed users to log in with LDAP and Windows Active Directory credentials, meaning the captured login details could possibly have been used for other Facebook corporate servers, he said.
Login details captured
The hackers had apparently downloaded captured credentials and deleted the file containing them every few days, and also seemed to have made efforts to map Facebook’s internal network, log into LDAP and other servers and search for SSL private keys, according to Tsai.
He said the hacker had apparently accessed the server once in July and again in mid-September. The July breach occurred around the time of the public disclosure of a remote code execution bug in the Accellion File Transfer Appliance.
The second breach, which may have been by another party, was more serious, since it was at this time that the hackers installed key logging software, Tsai said. Tsai’s own test was carried out in February.
Tsai reported his findings to Facebook, which awarded him a $10,000 (£7,000) bug bounty and launched its own investigation, which ended this month, prompting Digicore’s advisory.
Hack ‘was penetration test’
Facebook maintains its servers weren’t at the mercy of password-stealing hackers, with a member of its security team saying the traces found by Tsai were those of another penetration tester who participated in the bounty programme and neglected to disclose his or her actions to Facebook.
“After incident response, we determined that the activity Orange detected was in fact from another researcher who participates in our bounty programme,” said Facebook security engineer Reginaldo Silva in a statement on Hacker News, a tech-oriented news board operated by venture capital firm Y Combinator. “Two competent researchers assessed the system, one of them reported what he found to us and got a good bounty.”
The hacked system was isolated from those that host data shared by users on Facebook, Silva said.
Silva didn’t offer a response to a Hacker News user who pointed out that installing a keylogger, downloading login details and not informing Facebook indicated not white-hat penetration testing but rather “an actual compromise of employee credentials”.
Facebook didn’t immediately respond to a request for further comment.
Are you a security pro? Try our quiz!