A researcher security που συνηθίζει να κυνηγάει bug bounty κατάφερε να παραβιάσει τον διακομιστή του προσωπικού του Facebook μέσα από μια ανασφαλή file-sharing webapp και ανακάλυψε ότι κάποιος άλλος ήταν ήδη εκεί. Μάλιστα ο “άλλος” είχε εγκαταστήσει κακόβουλο software and collected data from the staff of the largest social network.
The penetration tester, Orange Tsai, who works at Taiwan Devcore, has been able to collect 10.000 dollars from Facebook in February after a successful intrusion into the vulnerable system.
In a publication this weekteam, ο ερευνητής περιγράφει πώς κατάφερε να παραβιάσει τον Linux διακομιστή της εταιρείας και πως σκόνταψε πάνω στο κακόβουλο λογισμικό που είχε εγκατασταθεί από κάποιον άλλο που έκλεβε usernames και passwords of FB employees. Login credentials were collected on an external computer.
According to the investigator, no user information was leaked.
Let's look at the researcher's steps:
Googling started collecting Facebook's IP ranges. So Orange discovered files.fb.com.
This website runs a web-based "secure" Accellion file transfer service.
This webapp previously had a vulnerability that allowed remote code execution, so Orange began to look for similar software bugs.
The researcher found that, among other errors, there was one that allowed SQL injection something that would allow him to run code remotely. Accellion has since released a patch that closes four security blanks (CVE-2016-2350 and CVE-2016-2353).
Having exploited a classic error that allowed SQL injection managed to install a webshell and gain control of the system.
Then Orange discovered a few PHP scripts that stole user names and passwords for Facebook workers who had access to the subdomain files.fb.com. These names and passwords could have been used to access other Facebok pages.
Malicious scripts were used sometime in July and September of last year.
According to Facebook security technician Reginaldo Silva, the malware that "pulled" the usernames and passwords was installed by another security researcher who was also trying to win a cash prize by violating Facebook.
"We really are happy that Orange reported the violation. In this case, the software was used by a third party. "As we did not have full control over it, we tried to isolate it from the systems that host Facebook users' data," said Silva.
"We found that the activity detected by Orange was in fact by another researcher involved in the project. None of them were able to endanger other parts of our infrastructure. But it is a double victory:
"Two competent researchers are evaluating the system, one of them reported what he found and got a good bonus, but neither of them was able to escalate access."