Facebook's corporate network has been breached by a security researcher who then gained access to employee usernames and passwords.
DevCore researcher Orange Tsai said in a blog post that he was able to access thousands of details relating to the company and its personnel, although apparently not its users.
Tsai explained that he gained access after discovering a backdoor into the network left by someone else, adding that as a penetration tester he is obliged to do these types of hacks and that Facebook has a bug bounty programme that pays hackers to find bugs.
"With the growing popularity of Facebook around the world, I've always been interested in testing its security. Luckily, in 2012, Facebook launched a bug bounty programme which motivated me to give it a shot," he said.
"From a pen-tester's view, I tend to start from recon and do some research. First, I'll determine how large is the 'territory' of the company on the internet, then try to find a nice entrance to get in."
Tsai looked for known exploits and checked GitHub and Pastebin for information. He uncovered a lot of things that Facebook needed to know about and informed the company.
"I found seven vulnerabilities, including cross-site scripting x 3, pre-auth SQL injection leads to remote code execution, known-secret-key leads to remote code execution and local privilege escalation x 2," he said.
"Apart from reporting to Facebook security team, other vulnerabilities were submitted to Accellion support team in an advisory for their reference. After vendor patched, I also sent these to CERT/CC and they assigned four CVEs for these vulnerabilities."
The hacker found a hole in an area of Facebook's servers being used to store key information such as passwords.
"While collecting vulnerability details and evidence for reporting to Facebook, I found some strange things on web log. A brief summary: the [previous] hacker created a proxy on the credential page to log the credentials of Facebook employees. These logged passwords were stored under web directory for the hacker to use WGET every once in a while," Tsai said.
The credentials could be used to access Facebook servers at will. "At the time I discovered these there were around 300 logged credentials dated between 1 and 7 February. From 1 February mostly '@fb.com' and '@facebook.com'. Upon seeing it I thought it's a pretty serious security incident."
Facebook is getting back to us on its side of this research and investigation. µ
To hear more about security challenges, the threats they pose and how to combat them, sign up for V3 sister site Computing's Enterprise Security and Risk Management conference taking place on 24 November.
Nintendo sales double and profits balloon by 500 per cent as Shuntaro Furukawa is appointed president
Switch console sold more than 15 million units, while SNES Classic sold more than five million
High-precision measurements of nearly 1.7 billion stars made by Gaia space observatory
Water trapped in asteroids could be the source of the Earth's seas
Latest Skip Ahead build focuses on mobile and a number of small fixes