Ένας ερευνητής ασφαλείας που συνηθίζει να κυνηγάει bug bounty κατάφερε να παραβιάσει τον διακομιστή του προσωπικού του Facebook μέσα από μια ανασφαλή file-sharing webapp and discovered that someone else was already there. In fact, the "other" had installed malicious software and was collecting data from the staff of the largest social network.
The penetration tester, Orange Tsai, who works at Taiwan Devcore, has been able to collect 10.000 dollars from Facebook in February after a successful intrusion into the vulnerable system.
Σε μια δημοσίευση αυτή την εβδομάδα, ο ερευνητής περιγράφει πώς κατάφερε να παραβιάσει τον Linux διακομιστή της εταιρείας και πως σκόνταψε πάνω στο κακόβουλο λογισμικό που είχε εγκατασταθεί από κάποιον άλλο που έκλεβε usernames και passwords των εργαζομένων του FB. Τα διαπιστευτήρια σύνδεσης συλλέγονταν σε έναν εξωτερικό υπολογιστή.
According to the investigator, no user information was leaked.
Let's look at the researcher's steps:
By Googling he started collecting Facebook IP ranges. So Orange discovered it files.fb.com.
This website runs a web-based "secure" Accellion file transfer service.
This webapp previously had a vulnerability that allowed remote code execution, so Orange began to look for similar software bugs.
The researcher found that, among other errors, there was one that allowed SQL injection something that would allow him to run code remotely. Accellion has since released a patch that closes four security blanks (CVE-2016-2350 and CVE-2016-2353).
Having exploited a classic error that allowed SQL injection managed to install a webshell and gain control of the system.
Then Orange discovered some PHP scripts that stole usernames and theirs codeς accessof Facebook employees who had access to the files.fb.com subdomain. These names and passwords could have been used to access other Facebook pages as well.
Malicious scripts were used sometime in July and September of last year.
According to Facebook security technician Reginaldo Silva, the malware that "pulled" the usernames and passwords was installed by another security researcher who was also trying to win a cash prize by violating Facebook.
"We really are happy that Orange reported the violation. In this case, the software was used by a third party. "As we did not have full control over it, we tried to isolate it from the systems that host Facebook users' data," said Silva.
"We found that the activity detected by Orange was in fact by another researcher involved in the project. None of them were able to endanger other parts of our infrastructure. But it is a double victory:
"Two competent researchers are evaluating the system, one of them reported what he found and got a good bonus, but neither of them was able to escalate access."