Facebook malware leaks employees' usernames and passwords

Hacker discovers malware in "astounding" Facebook security breach

A hacker has discovered malware on a Facebook server that leaked employees' usernames and passwords.

The bounty hunter known by their pseudonym, Orange Tsai - broke into one of the social network's Linux-based servers, but found that another hacker had already installed malware that stole users' access details, sending them to a remote computer.

Tsai collected a $10,000 cheque for their discovery, with Facebook saying the bug was the work of another hacker also trying to collect a bounty from the social media giant.

Facebook's security engineer, Reginaldo Silva, posted in a forum to say: "The activity Orange detected was in fact from another researcher who participates in our bounty program.

Advertisement - Article continues below
Advertisement - Article continues below

"Neither of them were able to compromise other parts of our infra-structure so, the way we see it, it's a double win: two competent researchers assessed the system, one of them reported what he found to us and got a good bounty, none of them were able to escalate access."

Tsai explained that they gained access to the server via an internal Facebook domain called The Facebook Network (vpn.tfbnw.net), using an insecure file transfer server Accellion's Secure File Transfer.

Tsai discovered seven exploits in this file-share and sync tool, triggering them to take control of the server which was when they "found some strange things on web log", including PHP error messages.

I followed the PHP paths in error messages and ended up with discovering suspicious WEBSHELL files left by previous visitors'," they said.

Image courtesy of JD Lasica

One of these files stood out. "The hacker created a proxy on the credential page to log the credentials of Facebook employees. These logged passwords were stored under web directory for the hacker to use WGET every once in a while," Tsai said.

Advertisement - Article continues below

"The time I discovered these, there were around 300 logged credentials dated between February 1st to 7th, from February 1st, mostly "@fb.com" and "@facebook.com". Upon seeing it I thought it's a pretty serious security incident."

Tsai said they collected evidence of the hack and reported it to Facebook, collecting the $10,000 bounty.

Facebook's Silva added: "We're really glad Orange reported this to us. On this case, the software we were using is third party. As we don't have full control of it, we ran it isolated from the systems that host the data people share on Facebook."

Two-factor authentication firm SecureAuth's chief security architect, James Romer, said Facebook should not be relying on usernames and passwords for its employees.

Advertisement - Article continues below

"It's astounding that a company such as Facebook, which handles the details of millions of users worldwide, would still be relying on a username and password combination for employee logins when it's well known that this is not an adequate authentication method on its own," he said.

"This malware being installed in one of the most well-known organisations in the world is a hefty reminder yet again that businesses cannot rely on a simplistic approach to authentication."

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now



Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019

Best free malware removal tools 2019

23 Dec 2019

How to protect against a DDoS attack

25 Oct 2019

Best antivirus for Windows 10

3 Sep 2019

Most Popular

data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020