Security consultant, Orange Tsai with Taiwanese penetration testing outfit Devcore, had beginned by mapping Facebook’s online products. While doing this, one server grasped his attention which was files.fb.com, which hosted a secure file transfer application made by enterprise software vendor Accellion and was probably used by Facebook employees for the purpose of file sharing and collaboration. Tsai examined the application and discovered seven vulnerabilities including two remote code execution ones. He utilized the vulnerabilities to obtain access to Facebook’s corporate server and he started collecting details from its logs in order to make report from the Facebook’s security team. He spotted some strange errors in the server’s log in the PHP based backdoor known as PHP Web shell that had been possibly installed on the server by a malicious hacker. Tsai reported all his findings to Facebook and he was later awarded $10,000 bug bounty and he launched its own forensic investigation that was completed this month, permitting him to reveal the vulnerabilities responsibly.
Δ