A professional hacker was rewarded by Facebook for finding a security vulnerability on one of their servers that stole the usernames and passwords of staff members.
A paid hacker made his way into a Facebook server only to find out that it was already hacked by another paid hacker, who had installed malware, siphoning off usernames and passwords to a remote computer. The hacker was rewarded $10,000 and his talents were appreciated by the world’s largest social network.
Beta News reports:
Orange Tsai managed to compromise a Linux-based staff server and found there was already a piece of malware in place syphoning off usernames and passwords. These account details were being transmitted to a remote computer, and after revealing this to Facebook, Tsia pocketed $10,000 as a reward.
BYPASS THE CENSORS
Sign up to get unfiltered news delivered straight to your inbox.
You can unsubscribe any time. By subscribing you agree to our Terms of Use
Facebook says that the malware was installed by a security researcher who was trying to earn themselves a bounty. Tsai, who works for Devcore in Taiwan, has provided a detailed write-up of what poking around Facebook servers revealed. Using a reverse lookup, Tsia discovered the existence of files.fb.com which was running Accellion’s Secure File Transfer service which is known to suffer from certain vulnerabilities.
Using an SQL injection vulnerability, Tsai was able to execute remote code on the server and gain control of it. It was at this point that password-stealing PHP scripts were found to be present.
In a statement, Facebook security engineer Reginaldo Silva said:
We're really glad Orange reported this to us. In this case, the software we were using is third party. As we don't have full control of it, we ran it isolated from the systems that host the data people share on Facebook. We do this precisely to have better security. We determined that the activity Orange detected was in fact from another researcher who participates in our bounty program. Neither of them were able to compromise other parts of our infrastructure, so the way we see it, it's a double win: two competent researchers assessed the system, one of them reported what he found to us and got a good bounty, none of them were able to escalate access.
Facebook stresses that no user information was compromised by the backdoor.
