Facebook's corporate network has been breached by a security researcher who then gained access to employee usernames and passwords.
DevCore researcher Orange Tsai said in a blog post that he was able to access thousands of details relating to the company and its personnel, although apparently not its users.
Tsai explained that he gained access after discovering a backdoor into the network left by someone else, adding that as a penetration tester he is obliged to do these types of hacks and that Facebook has a bug bounty programme that pays hackers to find bugs.
"With the growing popularity of Facebook around the world, I've always been interested in testing its security. Luckily, in 2012, Facebook launched a bug bounty programme which motivated me to give it a shot," he said.
"From a pen-tester's view, I tend to start from recon and do some research. First, I'll determine how large is the 'territory' of the company on the internet, then try to find a nice entrance to get in."
Tsai looked for known exploits and checked GitHub and Pastebin for information. He uncovered a lot of things that Facebook needed to know about and informed the company.
"I found seven vulnerabilities, including cross-site scripting x 3, pre-auth SQL injection leads to remote code execution, known-secret-key leads to remote code execution and local privilege escalation x 2," he said.
"Apart from reporting to Facebook security team, other vulnerabilities were submitted to Accellion support team in an advisory for their reference. After vendor patched, I also sent these to CERT/CC and they assigned four CVEs for these vulnerabilities."
The hacker found a hole in an area of Facebook's servers being used to store key information such as passwords.
"While collecting vulnerability details and evidence for reporting to Facebook, I found some strange things on web log. A brief summary: the [previous] hacker created a proxy on the credential page to log the credentials of Facebook employees. These logged passwords were stored under web directory for the hacker to use WGET every once in a while," Tsai said.
The credentials could be used to access Facebook servers at will. "At the time I discovered these there were around 300 logged credentials dated between 1 and 7 February. From 1 February mostly [email protected]' and [email protected]'. Upon seeing it I thought it's a pretty serious security incident."
Facebook is getting back to us on its side of this research and investigation. µ
To hear more about security challenges, the threats they pose and how to combat them, sign up for V3 sister site Computing's Enterprise Security and Risk Management conference taking place on 24 November.
Users are told that their non-existent 'iPhoneID' is expiring soon
Expansion of SDK intended to expand Amazon Alexa ecosystem
Locky returns from a prolonged rest with two new variants
AMD lambasted over Radeon RX Vega pricing that will add an extra £100 to RX Vega 56 and 64 graphics cards
Company accused of failing to tell anyone that the launch prices were only introductory offers