Facebook has blamed a Java zero-day for a recent attack.
While it confirmed that there was no evidence that Facebook user data was compromised and that it was not the only website to be attacked, it said that malware was installed when a Java zero-day was exploited to bypass the Java sandbox.
“We immediately reported the exploit to Oracle, and they confirmed our findings and provided a patch on 1st February 2013, that addresses this vulnerability,” it said.
In its statement, it said that it discovered that systems had been targeted in a sophisticated attack when some employees visited a mobile developer website that was compromised.
“The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops. The laptops were fully-patched and running up-to-date anti-virus software. As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues to this day,” it said.
Facebook's chief security officer Joe Sullivan told Ars Technica that the attack was discovered when a suspicious domain was detected in Facebook's Domain Name Service request logs. These requests were tracked back to the laptop of an engineer working on mobile application development projects. Forensic analysis of the files on the laptop led to the discovery of a number of other compromised systems.
In this instance, the attackers used a ‘watering hole' attack by compromising the server of the mobile developer's web forum and using it to launch the zero-day Java exploit on visitors. Sullivan said: “The attack was injected into the site's HTML, so any engineer who visited the site and had Java enabled in their browser would have been affected, regardless of how patched their machine was.”
Facebook also said that it is ‘clear that others were attacked and infiltrated recently as well' after its investigation. As one of the first companies to discover this malware, it said that it immediately took steps to start sharing details about the infiltration with the other affected companies.
“We invest heavily in preventing, detecting and responding to threats that target our infrastructure, and we never stop working to protect the people who use our service. The vast majority of the time, we are successful in preventing harm before it happens, and our security team works to quickly and effectively investigate and stop abuse,” it said.
Barry Shteiman, senior security strategist at Imperva, said: “In Facebook's case they claim no data loss, which is difficult to guarantee, unless data access is regulated with proper controls. Controlling data access in your organisation ensures that incidents such as this do not result in data loss, even when malware zero-days cannot be prevented –you can prevent data loss and business deep hit.
“Facebook is considered a young company employing brilliant minds that are very good at what they do, and as a technology driven company most of its employees would be considered technology aware. And yet, a malware drive-by has caused a breach.”