Short Bytes: If you lead the life of a penetration tester or a bug hunter, your job offers you new challenges every day. A similar incident happened when a security researcher stumbled upon another hacker’s backdoor script while hacking Facebook. Utilizing the SQL injection flaw in FTA application, he was able to take control over the complete control of Facebook’s server machine.
Tsai scanned Facebook’s IP address space and noticed a new domain name that sparked his interest. The domain name — tfbnw.net — ran on multiple servers and including Accellion’s Secure File Transfer (FTA) application.
Tinkering more, he was able to determine vulnerability in Accellion SFT by exploring its source code. Here are the flaws that he discovered:
- Three cross-site scripting (XSS) flaws
- A known-secret-key flaw that could result in remote code execution
- A Pre-authorized SQL injection that causes remote code execution
- Two local privilege escalation issue
Utilizing the SQL injection flaw, he was able to take the complete control over Facebook’s server machine.
As the next step, while trying to collect more information to submit a bug report to Facebook, he found certain PHP scripting error messages that pointed towards the possibility of a webshell on the server, providing remote access for unknown attackers. It basically acted as a server-side keylogger.
In his blog post, Tsai writes that he believed it to be an attempt to collect Facebook staffer logins. “The hacker created a proxy on the credentials page to log the credentials of Facebook employees,” Tsai wrote.
Tsai further scanned the log files to find how the hacker collected the logged data from time to time and attempted to take away SSL private keys.
This February, Tsai reported the incident to Facebook and received $10,000 bug bounty from Facebook. Later, Facebook patched this server flaw.