How A Bug Hunter Hacked Facebook And Found Another Hacker’s Backdoor

Share on twitter
Tweet
Share on whatsapp
WhatsApp
Share on facebook
Share
Facebook hack backdoor

Facebook hack backdoor

Short Bytes: If you lead the life of a penetration tester or a bug hunter, your job offers you new challenges every day. A similar incident happened when a security researcher stumbled upon another hacker’s backdoor script while hacking Facebook. Utilizing the SQL injection flaw in FTA application, he was able to take control over the complete control of Facebook’s server machine.

Orange Tsai, a consultant for DevCore, found that a backdoor script was logging Facebook employees‘ credentials for some backend applications. Bug hunting isn’t a new job for Tsai and he spends a lot of time finding bugs in the services and websites of big companies.

Tsai scanned Facebook’s IP address space and noticed a new domain name that sparked his interest. The domain name — tfbnw.net — ran on multiple servers and including Accellion’s Secure File Transfer (FTA) application.

files.fb.com FTA interface
files.fb.com FTA interface

Tinkering more, he was able to determine vulnerability in Accellion SFT by exploring its source code. Here are the flaws that he discovered:

  • Three cross-site scripting (XSS) flaws
  • A known-secret-key flaw that could result in remote code execution
  • A Pre-authorized SQL injection that causes remote code execution
  • Two local privilege escalation issue

Utilizing the SQL injection flaw, he was able to take the complete control over Facebook’s server machine.

Love Hacking And Pentesting? Get Started Here

As the next step, while trying to collect more information to submit a bug report to Facebook, he found certain PHP scripting error messages that pointed towards the possibility of a webshell on the server, providing remote access for unknown attackers. It basically acted as a server-side keylogger.

Webshell on Facebook server
Webshell on Facebook server

In his blog post, Tsai writes that he believed it to be an attempt to collect Facebook staffer logins. “The hacker created a proxy on the credentials page to log the credentials of Facebook employees,” Tsai wrote.

Tsai further scanned the log files to find how the hacker collected the logged data from time to time and attempted to take away SSL private keys.

This February, Tsai reported the incident to Facebook and received $10,000 bug bounty from Facebook. Later, Facebook patched this server flaw.

Adarsh Verma

Adarsh Verma

Fossbytes co-founder and an aspiring entrepreneur who keeps a close eye on open source, tech giants, and security. Get in touch with him by sending an email — [email protected]
Scroll to Top