Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Facebook Privacy Social Networks

'I Hacked Facebook -- and Found Someone Had Beaten Me To It' (theregister.co.uk) 51

An anonymous reader shares an article on The Register: A bug bounty hunter compromises a Facebook staff server through a sloppy file-sharing webapp -- and finds someone's already beaten him to it by backdooring the machine. The pseudo-anonymous penetration tester Orange Tsai, who works for Taiwan-based outfit Devcore, banked $10,000 from Facebook in February for successfully drilling into the vulnerable system. According to Tsai, he or she stumbled across malware installed by someone else that was stealing usernames and passwords of FB employees who logged into the machine. The login credentials were siphoned off to an outside computer. According to Facebook security engineer Reginaldo Silva, the password-slurping malware was installed by another security researcher who had earlier poked around within Facebook's system in an attempt to snag a bug bounty.
This discussion has been archived. No new comments can be posted.

'I Hacked Facebook -- and Found Someone Had Beaten Me To It'

Comments Filter:
  • May as well exploit the the machine for a while before revealing the bug.

    • by Anonymous Coward

      You have to in order to claim the bounty.

      Corporations have a long history of refusing to cough up the cash in bug bounties (or worse, siccing the authorities on the bug bounty hunter). So to protect themselves (and to prove the bug exists), the "official" way to report bug bounties is to steal a bunch of data, rig it to be released to the public in the event the bug bounty hunter fails to "check in" every so often and THEN report it, just in case the company decides to renege on the deal.

      • "Fails to check in"? Suddenly bug bounties sound a lot more sinister than they used to :/.
        • by Anonymous Coward

          nah, Just five years ago I was threatened by the same person who personally authorized me to hack their organization for 5 grand prize that they're gonna sue me if I keep digging. still hurts. what hurts more is that the vulnerabilites are still there. on all the damn servers. the fucking tftp is still open to the world

        • They dont call it a "dead man's switch" for nothing.

  • by Anonymous Coward

    http://www.nirgoldshlager.com/2013/01/how-i-hacked-facebook-employees-secure.html

    It amazes me that despite all of their problems, so many companies still trust Accellion. I think our installation was $50k.

    • by Anonymous Coward

      Yeah google for soggycat, this shit's been vulnerable since 2011. This isn't a FB vuln, it's 100% Accellion. What a piece of shit appliance. I'm in the wrong business, I should create a "cloud file upload service" with no security and sell it as an enterprise solution for $50K apiece.

      • by Z34107 ( 925136 ) on Saturday April 23, 2016 @11:38PM (#51976031)

        Holy shit, you weren't kidding [seclists.org]. Quoting selected bugs:

        • The appliance ships with UDP port 8812 allowed through the firewall. The port correlates to an internal service that routes messages between backend processes. To authenticate access to this service, all messages must be encrypted with a secret key [...] These two default keys are 123456789ABCDEF0123456789ABCDEF0 and 0123456789ABCDEF0123456789ABCDEF.
        • One of the applications that is exposed through the port 8812 message routing service executes a system command without sanitizing the arguments provided by the requesting application. This allows arbitrary commands to be executed on the appliance. Combined with Issue #1, this allows remote, unauthenticated command execution on the appliance as the "soggycat" user, which is root equivalent
        • The secure shell daemon is running by default and the system is configured with static passwords for a number of root-equivalent accounts. The "soggycat" user account [...] also has two SSH keys configured for passwordless login. These keys were generated over eight years ago.
        • All internal services communicate through UDP services bound to the 0.0.0.0 address. This exposes the internal workings of the appliance to an attacker with network access to the system. For example, a local user account without administrative rights would still be able to escalate privileges by communicating with these internal services.
        • The rsync daemon allows read/write access to the "soggycat" home directory. Since this user account is root-equivalent, any attacker than talk to the rsync daemon can take full control of the appliance.

        This is amateur hour, though still better than what runs our power grid and water treatment plants.

        • When ShellShock hit, Accellion was the *LAST* vendor of the many I deal with to patch their product. The LAST. That's pretty sad for a web-facing security product. Shame on them.
  • by rmdingler ( 1955220 ) on Saturday April 23, 2016 @08:48PM (#51975575) Journal
    If the universe is indeed a clever simulation, are you now discovering a hack with a hack in a universe that's been hacked and hacked until it resembles an infinity mirror?
    • by Anonymous Coward

      Electric sheep dream of me.

  • $10,000 is peanuts for the login credentials of a ton of facebook employees.

    In today's Internet, Facebook hacks YOU!

  • by NotInHere ( 3654617 ) on Saturday April 23, 2016 @09:48PM (#51975759)

    Yet another reason why SSH password based authentication is so bad. Both SSH agent forwarding and SSH password based auth are best disabled. Then they can't intercept anything.

  • by Frosty Piss ( 770223 ) * on Saturday April 23, 2016 @09:54PM (#51975775)

    According to Facebook security engineer Reginaldo Silva, the password-slurping malware was installed by another security researcher who had earlier poked around within Facebook's system in an attempt to snag a bug bounty.

    And this is why I have a problem with this whole "terminology" of the so-called "security researcher". Facts are facts and who ever it was that installed and left malware that "slurped" passwords and usernames clearly was not a "security researcher", but rather a run-of-the-mill hacker , or call him (almost certainly a him) what every you want, but NOT a "security researcher".

  • He got sloppy seconds!

  • Aren't poking around in a system, and slurping passwords two different things?
    • by Bob_Who ( 926234 )

      Aren't poking around in a system, and slurping passwords two different things?

      Poking and slurping both sound a bit kinky. But snorting passwords is definitely illicit.

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...