When a security researcher trying to discover the bugs in the Facebook then he noticed a strange backdoor script was already uploaded by unknown hacker on the Facebook credential page to steal the logs of its employees. These logged passwords were stored under web directory for the hacker to use WGET every once in a while.
Tsai reported to Facebook on 5 February.
The company launched an internal investigation, which fixed on 20 April.
Allowing security company 'Devcore' to publish the Proof of Concept (POC).Orange Tsai who is a consultant for DevCore, also expends a lot of his free time for helping the big name of companies that attach the vulnerabilities through their programs of bug bounty.
And at the end of February, Tsai determined to give the one more try to the bug bounty program of Facebook as well as it was started charting some of the backend services of the company for the possible servers that he might hack.
Even the researcher hacks the internal file sharing application of Facebook.
He found a server among these C Class IPs. and search to the files.fb.com domain that is a service kind of online file transfer as well as of file hosting that is running on Secure FTA (File Transfer Application) of Accellion.
After finding the type as well as version of application then the researcher went to work and investigated the source code internally, to finding the cross-site scripting (XSS) defects, escalation issues of two local privilege that is a known-secret-key issue which led to the execution of remote code, as well as a pre-auth SQL injection which is also led to remote code execution.
The researcher used the defects of SQL injection which he found in the FTA application to access the server of Facebook as well as it was satisfied with the complete control over the machine.
When the researcher reached his goal then they initiated gathering the required information to submit a bug report to the staff of Facebook. When they looking at one of the logs of the server and it was discovered by Tsai who found a lot of doubtful error messages.
Tsai followed these messages down to a web shell about that he was sure as well as quite observable which is never uploaded by the Facebook employee. While investigating the source code of web shell, Tsai discovers the proof of a server-side keylogger that was interrupting by the login operations as well as they accumulating the credentials in a local log file accessed by the Facebook employee.
Then the researcher looked at the additional log files that illustrated that how the hacker returns back at a variety of intervals to gathered the data which were already the logged in, map the local network as well as efforts to lift the private keys of SSL.
When the hacker was active details exposed the two divide periods, the one in July 2015, as well as then one in mid-September 2015.
Tsai sent the bug report to Facebook about the incident, and he got the $10,000 Bug bounty for his efforts.
One of Facebook Security team member named Reginaldo said,
We're really glad Orange reported this to us. On this case, the software we were using is third party. As we don't have full control of it, we ran it isolated from the systems that host the data people share on Facebook.
We do this precisely to have better security, as chromakode mentioned. After incident response, we determined that the activity Orange detected was in fact from another researcher who participates in our bounty program. Neither of them were able to compromise other parts of our infra-structure so, the way we see it, it's a double win: two competent researchers assessed the system, one of them reported what he found to us and got a good bounty, none of them were able to escalate access.