Hacked Facebook and even twice

Ένας ερευνητής ασφαλείας που συνηθίζει να κυνηγάει bug bounty κατάφερε να παραβιάσει τον διακομιστή του προσωπικού του Facebook μέσα από μια ανασφαλή file- webapp and discovered that someone else was already there. In fact, the "other" had installed malicious software and was collecting data from the staff of the largest social network. black facebook

The penetration tester, Orange Tsai, who works at Taiwan Devcore, has been able to collect 10.000 dollars from Facebook in February after a successful intrusion into the vulnerable system.

Σε μια δημοσίευση αυτή την εβδομάδα, ο ερευνητής περιγράφει πώς κατάφερε να παραβιάσει τον διακομιστή της εταιρείας και πως σκόνταψε πάνω στο κακόβουλο λογισμικό που είχε εγκατασταθεί από κάποιον άλλο που έκλεβε usernames και passwords των εργαζομένων του FB. Τα διαπιστευτήρια σύνδεσης συλλέγονταν σε έναν εξωτερικό υπολογιστή.

According to the investigator, no user information was leaked.

Let's look at the researcher's steps:

By Googling he started collecting Facebook IP ranges. So Orange discovered it .fb.com.
This website runs a web-based "secure" Accellion file transfer service.
This webapp previously had a vulnerability that allowed remote code execution, so Orange began to look for similar software bugs.
The researcher found that, among other errors, there was one that allowed SQL injection something that would allow him to run code remotely. Accellion has since released a patch that closes four security blanks (CVE-2016-2350 and CVE-2016-2353).
Having exploited a classic error that allowed SQL injection managed to install a webshell and gain control of the system.

Then Orange discovered some PHP scripts that stole usernames and theirs ς of Facebook employees who had access to the files.fb.com subdomain. These names and passwords could have been used to access other Facebook pages as well.
Malicious scripts were used sometime in July and September of last year.

According to Facebook security technician Reginaldo Silva, the malware that "pulled" the usernames and passwords was installed by another security researcher who was also trying to win a cash prize by violating Facebook.

"We really are happy that Orange reported the violation. In this case, the software was used by a third party. "As we did not have full control over it, we tried to isolate it from the systems that host Facebook users' data," said Silva.

"We found that the activity detected by Orange was in fact by another researcher involved in the project. None of them were able to endanger other parts of our infrastructure. But it is a double victory:

"Two competent researchers are evaluating the system, one of them reported what he found and got a good bonus, but neither of them was able to escalate access."

How I Hacked Facebook

iGuRu.gr The Best Technology Site in Greeceggns

Get the best viral stories straight into your inbox!















Written by Dimitris

Dimitris hates on Mondays .....

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).