Two bug hunters have opened vulnerability on Facebook. The social media giant is pretty relaxed about the whole incident.
One of the security researchers managed to get access to one the of Facebook’s corporate servers only to find the backdoor that was left by one more security researcher.
As per the penetration tester at Devcore, Orange Tsai, the backdoor was found after the researcher started looking out Facebook’s infrastructure beyond the social media services. One server, which caught the researcher’s attention was named “files.fb.com”; this hosted a secure file sharing software application.
Tsai also pointed out some flaws in the application. He said that these vulnerabilities were exploited for gaining access to FB’s corporate servers for gathering information from logs and to write up a report for security team (Facebook). It was at this time that Tsai noticed something different. He stated that there were some strange errors in the logs, which pointed in the direction of PHP-based backdoor. This backdoor allowed people who knew of the existence for executing shell commands and to upload files. Not just that, it hacked the Accellion app authentication process, and then tracked Facebook employee credentials.
The security engineer (Facebook), Reginaldo Silva stated that the backdoor was set up by one more security researcher, which was scanning around the Facebook site aiming to bag a bug bounty. He stated that the team was glad that Orange reported this to them. He said that the software they were using is of the third parties; as they do not have a complete control of it, they ran it isolated from the systems, which host the data that people share on Facebook. He went on to add that the team does this to have better security. This particular incident has raised questions on how bug bounty programs are conducted and how much the rules for these can be stretched.
A partner at Pen Test Partners, Mr. Ken Munro said that he is skeptical about the statement that the social media giant knew all about this incident. Munro went on to add that most of the bug bounty programs will prevent one from going deeper than the first vulnerability one finds. He stated that the terms and conditions of Facebook are really specific; he said that one does not exploit a security issue that one discovers for any reason. He added that these open bug bounty programs are going to see researchers tread on each other’s toes every now and then.