Facebook malware leaks employees' usernames and passwords

Hacker discovers malware in "astounding" Facebook security breach

A hacker has discovered malware on a Facebook server that leaked employees' usernames and passwords.

The bounty hunter known by their pseudonym, Orange Tsai - broke into one of the social network's Linux-based servers, but found that another hacker had already installed malware that stole users' access details, sending them to a remote computer.

Tsai collected a $10,000 cheque for their discovery, with Facebook saying the bug was the work of another hacker also trying to collect a bounty from the social media giant.

Facebook's security engineer, Reginaldo Silva, posted in a forum to say: "The activity Orange detected was in fact from another researcher who participates in our bounty program.

Advertisement
Advertisement - Article continues below

"Neither of them were able to compromise other parts of our infra-structure so, the way we see it, it's a double win: two competent researchers assessed the system, one of them reported what he found to us and got a good bounty, none of them were able to escalate access."

Tsai explained that they gained access to the server via an internal Facebook domain called The Facebook Network (vpn.tfbnw.net), using an insecure file transfer server Accellion's Secure File Transfer.

Tsai discovered seven exploits in this file-share and sync tool, triggering them to take control of the server which was when they "found some strange things on web log", including PHP error messages.

I followed the PHP paths in error messages and ended up with discovering suspicious WEBSHELL files left by previous visitors'," they said.

Image courtesy of JD Lasica

One of these files stood out. "The hacker created a proxy on the credential page to log the credentials of Facebook employees. These logged passwords were stored under web directory for the hacker to use WGET every once in a while," Tsai said.

"The time I discovered these, there were around 300 logged credentials dated between February 1st to 7th, from February 1st, mostly "@fb.com" and "@facebook.com". Upon seeing it I thought it's a pretty serious security incident."

Tsai said they collected evidence of the hack and reported it to Facebook, collecting the $10,000 bounty.

Facebook's Silva added: "We're really glad Orange reported this to us. On this case, the software we were using is third party. As we don't have full control of it, we ran it isolated from the systems that host the data people share on Facebook."

Two-factor authentication firm SecureAuth's chief security architect, James Romer, said Facebook should not be relying on usernames and passwords for its employees.

Advertisement
Advertisement - Article continues below

"It's astounding that a company such as Facebook, which handles the details of millions of users worldwide, would still be relying on a username and password combination for employee logins when it's well known that this is not an adequate authentication method on its own," he said.

"This malware being installed in one of the most well-known organisations in the world is a hefty reminder yet again that businesses cannot rely on a simplistic approach to authentication."

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/malware/33080/hackers-abuse-linkedin-dms-to-plant-malware
malware

Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019
Visit/security/ddos/28039/how-to-protect-against-a-ddos-attack
Security

How to protect against a DDoS attack

25 Oct 2019
Visit/antivirus/28144/best-antivirus
antivirus

Best antivirus for Windows 10

3 Sep 2019
Visit/data-breaches/29418/equifax-data-breach-cost-14-billion-so-far/page/0/1
data breaches

Ex-Equifax CIO to serve four months for insider trading

2 Jul 2019

Most Popular

Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/network-internet/wifi-hotspots/354283/industrial-wi-fi-6-trial-reveals-blistering-speeds
wifi & hotspots

Industrial Wi-Fi 6 trial reveals blistering speeds

5 Dec 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019