In his post How I Hacked Facebook, and Found Someone's Backdoor Script, Tsai described how he used Google and publicly available information to find the internal Facebook domain tfbnw.net ("TheFacebook Network"). That led him to discover at least five other servers, including Outlook mail and two VPNs. One, called files.fb.com, had a login page that Tsai knew belonged to Accellion's file-sharing product Secure File Transfer.
He found seven vulnerabilities in Accellion -- which he dutifully reported to the Facebook security team and Accellion's support team. He used one of those holes to get into Facebook's server, using a very old and common hacking technique called a "SQL injection." Then Tsai took control of the machine. Accellion identified these vulnerabilities and delivered a patch to customers in February.
It was a distressingly straightforward path to breaking into an internal server at a company whose collection of personal and identity data is so vast as to be unimaginable. But what happened next is flat-out alarming. Tsai wrote, "While collecting vulnerability details and evidences for reporting to Facebook, I found some strange things on [the server's] web log."
Tsai found a backdoor in place that had been actively accessed by another hacker for at least eight months.
This is where Tsai's details break apart and form a new picture. On closer look, he saw that the hacker had installed keyloggers -- software that records keystrokes -- and had collected Facebook employee usernames and passwords. These credentials were stored in a directory where the hacker could retrieve them.
"And at the time I discovered these, there were around 300 logged credentials dated between February 1st to 7th, from February 1st, mostly '@fb.com' and '@facebook.com'. Upon seeing it I thought it's a pretty serious security incident.
(...) Also, from the log on the server, there were two periods that the system was obviously operated by the hacker, one in the beginning of July and one in mid-September [of last year]."
This was what caused infosec commenters to describe the company as being "completely owned."
Next came Facebook playing down the problem -- a spiel familiar to anyone with a Facebook account. When the post started getting attention on a forum, Facebook security employee Reginaldo Silva left a comment claiming the backdoor Tsai found had been left behind by "another researcher who participates in our bounty program."
Plus, he said, that particular server was isolated from "the systems that host the data that people share on Facebook." Silva continued, "It's a double win: two competent researchers assessed the system, one of them reported what he found to us and got a good bounty, none of them were able to escalate access."
Other than collecting and probably using the login credentials of 300 Facebook employees for close to a year, I suppose the other hacker may not have been able to "escalate access." Yet how would he know? Even if it was as Silva claims -- a box hosting software from a third party, completely isolated from FB's infrastructure -- with employee passwords, the hacker could've accessed any number of things.
Either way, collecting those logins and passwords is absolutely against the rules for Facebook's bug bounty program. It's pretty clear that the other hacker wasn't a "participant" saving their bounty cash-in for a later date.
And like every accountability dodge that's issued from a Facebook employee's lips, Mr. Silva's claims are -- by his employer's own rules -- unverifiable.
After reporting everything he found in detail, Facebook awarded Tsai a paltry bug bounty of $10K.
Okay, maybe I'm overvaluing the work Tsai did for the Facebook security team, who were obviously busy with more important things. I just think that getting control of a Facebook server and revealing an intruder swiping employee passwords is worth more than a used 2008 Kia Sportage. And it's $5K less than what the company paid out to researcher Anand Prakash last month when he found out that anyone could brute-force a password reset (to hijack user accounts) on both Facebook's mobile and app testing sites.
I wasn't the only one who felt that way. When Tsai's post made the infosec rounds, people were equally shocked by the active and persistent compromise Tsai found and the low amount Facebook paid him for his disclosure.
If managing the bug bounty program is too hard...
Still, this mess might be better than what happened with Facebook's bug bounty last December.
Security researcher Wesley Wineberg saw that Facebook had started including Instagram in its bug bounty program. Poking around, he quickly stumbled into a daisy chain of security holes that would have given him access to pretty much everything, including source code.
As Wineberg made one discovery after another, he responsibly reported each subsequent bug he found and retained data as key evidence. Facebook "awarded" him $2,500 for the first bug.
The subsequent bugs must've been embarrassing, because Facebook's head of security seemed to take it personally. Chief Information Security Officer Alex Stamos didn't bother to contact Wineberg with his concerns about the bugs or the way he'd gone about finding them. Instead, Stamos called Wineberg's employer, who had nothing to do with any of it, and made gentlemanly threats of legal charges and law enforcement involvement. This is what earned Facebook a reputation for threatening researchers who disclose flaws in its properties.
The truth here is, someone shelled the server and keylogged creds from hundreds of Facebook employees. In the world of hacking, there isn't an inch or an ounce between whether or not this is a big deal. It's huge.
In just the past year, their systems have been compromised in major ways, and they've had no idea until bug bounty hopefuls reported it. Tsai's Facebook hack isn't even the first time files.fb.com has been publicly breached, and people who know what to look for in technical details will notice that the company's security team learned very little from what Wineberg found in Instagram's failures. All of this is made worse by the inconsistent payouts, flimsy assurances and jocks-in-the-schoolyard behavior.
Right now, Facebook's security team looks like salesmen pushing snake oil at a premium rate.
Image: Shutterstock (Facebook login)