Last week, an IT security specialist that goes by the name of “Orange Tsai” revealed that with publicly available information, he was not only able to break into Facebook’s billion-dollar network, he uncovered that he wasn't the first.
Under the aegis of Facebook’s bug bounty program, Tsai forced his way into one of Facebook’s internal servers and was able to take control of the machine by utilizing multiple hacking techniques.
Engadget highlighted the story’s big picture:
“It was a distressingly straightforward path to breaking into an internal server at a company whose collection of personal and identity data is so vast as to be unimaginable. But what happened next is flat-out alarming. Tsai found a backdoor in place that had been actively accessed by another hacker for at least eight months.”
Much like hiking up a mountain believed to be unknown, Tsai abruptly stumbled upon someone else’s flag on top. Once inside Facebook’s network, Tsai noticed a log of history by an unknown assailant, who among other things, installed key loggers and obtained employee usernames and passwords.
In his blog post, Tsai stated:
"While collecting vulnerability details and evidences for reporting to Facebook, I found some strange things on (the server's) web log. At the time I discovered there were around 300 logged credentials dated between February 1st to 7th, from February 1st, mostly '@fb.com' and '@facebook.com'. Upon seeing it I thought it's a pretty serious security incident. Also, from the log on the server, there were two periods that the system was obviously operated by the hacker, one in the beginning of July and one in mid-September (of last year)."
Facebook brushed off the discovery in a statement suggesting that they knew the other hacker was a 'white hat', though that doesn’t explain the access log obtained by Tsai, which shows months of access by the mysterious guest as he/she collected data of about 300 Facebook employees.
Facebook security employee Reginaldo Silva commented (on Tsai’s security post):
“…the backdoor Tsai found had been left behind by "another researcher who participates in our bounty program. Plus, that particular server was isolated from "the systems that host the data that people share on Facebook. It's a double win: two competent researchers assessed the system, one of them reported what he found to us and got a good bounty, none of them were able to escalate access."
The truth of the matter remains, the inability for Facebook’s security team to successfully identify and eliminate the backdoor entrance left by the supposed “researcher” leaves many in disbelief.
Engadget’s Ms. Violet Blue had this opinion:
“The truth here is, someone shelled the server and key logged creds from hundreds of Facebook employees. In the world of hacking, there isn't an inch or an ounce between whether or not this is a big deal. It's huge. In just the past year, their systems have been compromised in major ways, and they've had no idea until bug bounty hopefuls reported it. All of this is made worse by the inconsistent payouts, flimsy assurances and jocks-in-the-schoolyard behavior. Right now, Facebook's security team looks like salesmen pushing snake oil at a premium rate.”
If Facebook is getting hacked this frequently, what are the odds of your organization’s existing IT setup getting hacked?
Abacus Private Cloud is a compliance ready, fully managed Desktop-as-a-Service (DaaS) workplace with built-in multi-tiered security seamlessly designed and engineered to safeguard companies against cyber threats.