A hacker has discovered malware on a Facebook server that leaked employees' usernames and passwords.
The bounty hunter known by their pseudonym, Orange Tsai - broke into one of the social network's Linux-based servers, but found that another hacker had already installed malware that stole users' access details, sending them to a remote computer.
Tsai collected a $10,000 cheque for their discovery, with Facebook saying the bug was the work of another hacker also trying to collect a bounty from the social media giant.
Facebook's security engineer, Reginaldo Silva, posted in a forum to say: "The activity Orange detected was in fact from another researcher who participates in our bounty program.
"Neither of them were able to compromise other parts of our infra-structure so, the way we see it, it's a double win: two competent researchers assessed the system, one of them reported what he found to us and got a good bounty, none of them were able to escalate access."
Tsai explained that they gained access to the server via an internal Facebook domain called The Facebook Network (vpn.tfbnw.net), using an insecure file transfer server Accellion's Secure File Transfer.
Tsai discovered seven exploits in this file-share and sync tool, triggering them to take control of the server which was when they "found some strange things on web log", including PHP error messages.
I followed the PHP paths in error messages and ended up with discovering suspicious WEBSHELL files left by previous visitors'," they said.
Image courtesy of JD Lasica
One of these files stood out. "The hacker created a proxy on the credential page to log the credentials of Facebook employees. These logged passwords were stored under web directory for the hacker to use WGET every once in a while," Tsai said.
"The time I discovered these, there were around 300 logged credentials dated between February 1st to 7th, from February 1st, mostly "@fb.com" and "@facebook.com". Upon seeing it I thought it's a pretty serious security incident."
Tsai said they collected evidence of the hack and reported it to Facebook, collecting the $10,000 bounty.
Facebook's Silva added: "We're really glad Orange reported this to us. On this case, the software we were using is third party. As we don't have full control of it, we ran it isolated from the systems that host the data people share on Facebook."
Two-factor authentication firm SecureAuth's chief security architect, James Romer, said Facebook should not be relying on usernames and passwords for its employees.
"It's astounding that a company such as Facebook, which handles the details of millions of users worldwide, would still be relying on a username and password combination for employee logins when it's well known that this is not an adequate authentication method on its own," he said.
"This malware being installed in one of the most well-known organisations in the world is a hefty reminder yet again that businesses cannot rely on a simplistic approach to authentication."
