Bug hunter finds backdoor in Facebook left by another bug hunter

News by Rene Millman

A series of bug bountiers have apparently open and closed a vulnerability in the social media giant, Facebook.

A security researcher has managed to gain access to one of Facebook's corporate servers only to discover a backdoor left by another security researcher.

According to Orange Tsai, a penetration tester at Devcore, a security consultancy in Taiwan,  the backdoor was discovered after the researcher started mapping out Facebook's infrastructure beyond its social media services. One server that caught the researcher's attention was one called files.fb.com, which hosted a secure file sharing software application produced by Accellion.

Tsai found a few flaws in this application (which he reported to Accellion). The vulnerabilities were then exploited to gain access to Facebook's corporate servers in order to gather information from logs and write up a report for Facebook's security team.

It was only then that Tsai noticed something odd. There were some unusual errors in the logs that pointed in the direction of a web shell or PHP-based backdoor. This had been installed on the servers.

This backdoor allowed those who knew of its existence to execute shell commands and upload files. Not only that, it hijacked the Accellion application authentication process and recorded Facebook employee credentials of those accessing the application.

"At the time I discovered these, there were around 300 logged credentials dated between February 1st to 7th, mostly '@fb.com' and '@facebook.com'," Tsai said in a blog post . "Upon seeing it I thought it's a pretty serious security incident."

Tsai thought that these credentials may also work on other Facebook corporate servers but he didn't try to use them. It would appear that whoever set up the backdoor also made sure that any files created by it would be deleted after a few days. Other evidence pointed to someone trying to map out Facebook's internal network, logging into LDAP and mail servers and searching for private SSL keys.

"There were two periods that the system was obviously operated by the hacker, one in the beginning of July and one in mid-September," he said.

For his work on investigating Facebook's network, Tsai was awarded a $10,000 (£6905) bounty.

According to Facebook security engineer Reginaldo Silva on the forum post, this backdoor was installed by another security researcher, looking around the Facebook site looking to bag a bug bounty.

"We're really glad Orange reported this to us. In this case, the software we were using is third party. As we don't have full control of it, we ran it isolated from the systems that host the data people share on Facebook. We do this precisely to have better security," said Silva.

"We determined that the activity Orange detected was in fact from another researcher who participates in our bounty program. Neither of them were able to compromise other parts of our infrastructure, so the way we see it, it's a double win: two competent researchers assessed the system, one of them reported what he found to us and got a good bounty, none of them were able to escalate access."

The incident raises questions over how bug bounty programs are conducted and how far the rules of such can be stretched.

 Alex Cruz Farmer, VP of cloud at Nsfocus, told SCMagazineUK.com that bug hunters do have to go the “extra mile” to provide proof of concepts.

“As we have seen in the past, through other researchers' fantastic work, unless there is a proven, real risk to a corporation or business, it will not get priority, and this is ultimately at the detriment of the users. We have seen a wide number of data breaches and cyber crime is clearly on the up.

“These teams, whilst small and elite, are targeting the businesses who are wanting to make the effort to protect themselves. Often we see that developers, during their coding of products, will often miss very obvious things, or in some cases cut corners due to deadlines and priorities. Bug bounty programs help resolve that,” said Farmer.

Ken Munro, partner at Pen Test Partners is sceptical at the assertion that "Facebook knew all along".

He told SC, "It simply isn't consistent with Facebook's responsible disclosure policy. Such an action would ignore the laws in the US pertaining to hacking and collection of personal data. If Facebook knew all along they would seem to be accomplices in a crime. Either there was no crime committed and this is a media circus, or there was a crime committed and no one seems to care?”

Munro added that most bug bounty programs prevent you from going deeper than the first vulnerability you find.

“The Facebook terms and conditions are very specific: You do not exploit a security issue that you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)

“Harvesting credentials onto your own infrastructure is a step too far and not responsible. This particular backdoor was collating legitimate data on employees including passwords. That's where we get into dangerous waters because you're effectively reducing security resilience by allowing these credentials to be harvested adding to rather than solving the problem,” warned Munro.

He added that open bug bounty programs, if they're any good, are inevitably going to see researchers tread on one another's toes from time to time.

“That's what you want: white hats scouring your network for issues. What you don't want are those self-same researchers potentially creating security issues on the platform. That defeats the purpose and to that end FB has been too cavalier in its approach,” said Munro.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews