A hacker by the name of Orange Tsai, a self-described “penetration tester,” wrote in a blog post that he has discovered seven security vulnerabilities in the servers of Facebook, with a few allowing him to take control of the social network’s servers by using a web shell.
“After taking control of the server successfully, the first thing is to check whether the server environment is friendly to you,” Tsai wrote. “To stay on the server longer, you have to be familiar with the environments, restrictions, logs, etc and try hard not to be detected.”
This proved to expose some PHP error messages which seemed to be caused by some unauthorized visitor also trying to modify web shells. This ultimately led to the other hacker creating a proxy on the credential page to log Facebook employees’ credentials. Be aware that Tsai isn’t a bad hacker and doesn’t want to steal any average Facebook user’s information. In fact, the other hacker didn’t even want information on user’s credentials, just the one’s associated with FB workers.
Unfortunately, this hacker was able to get his hands on quite a handful of credentials:
“And at the time I discovered these, there were around 300 logged credentials dated between February 1st to 7th, from February 1st, mostly ‘@fb.com’ and ‘@facebook.com,'” Tsai wrote. “Upon seeing it I thought it’s a pretty serious security incident.”
Two different time periods when the other hacker had access to Facebook’s servers were also discovered by Tsai during a thorough review of the logs captured. These periods included a time in the beginning of July and some point in mid-September. This was ultimately the time when Tsai reported to the FB security team what was going on and stated that FB told him they were investigating the situation more.
He also said he was offered $10,000 as part of the bug bounty program and was asked not to disclose the exploit until Facebook completed its investigation on April 20th. This was done, and a FB spokesperson stated that the server vulnerability belonged to a third party file sharing platform the social network no longer operates. The spokesperson went on to say that Facebook was able to identify the other hacker, a security researcher who “was also participating in our bug bounty program and who was testing the same third party software.” The company has ultimately taken care of the issue and has since then shut down the servers affected so no more vulnerabilities were present.