Friendly hacker finds backdoor in Facebook

Facebook's internal systems were compromised and a server containing staff details was hit by malware opening up a backdoor that allowed usernames and passwords to be extracted – although this issue was reported by a bug bounty hunter and has since been fixed.

Orange Tsai was the exploit hunter in question, and he discovered the vulnerability in the Facebook server back in February, then reported it to the social network's security team.

As Betanews reports, Tsai hacked into said Facebook server and discovered password-thieving PHP scripts – obviously a very serious issue. So it isn't surprising that he received a large payment for this bit of white hat hacking, and a week after reporting the issue, he was told he'd be rewarded to the tune of $10,000 (around £7,000, or AU$13,000).

It's a worrying glimpse into how even web giants like Zuckerberg's firm are open to being exploited by just a single individual with some hacking smarts.

Note that this was a staff server and the backdoor was pilfering Facebook staff member credentials (as opposed to actual users of the social network), and Tsai says he found around 300 logged credentials dated to the first week of February when he pulled off his hack.

Not malicious

The Facebook security engineer, Reginaldo Silva, who dealt with the case said the backdoor had actually been put there by another bounty hunting security researcher, so this too was a white hat action of sorts, and apparently not a malicious attack.

Silva noted: "Neither of them were able to compromise other parts of our infrastructure, so the way we see it, it's a double win: two competent researchers assessed the system, one of them reported what he found to us and got a good bounty, none of them were able to escalate access."

According to Tsai, the other hacker made attempts to probe further and access Facebook's internal mail system, for example, but wasn't successful in these endeavours. Tsai also noted there were two periods of time when the backdoor was utilised last year, and he muses whether this might have been different hackers doing so – although Facebook clearly believes this was just one person.

Of course, the hole has now been patched up and Facebook conducted an extensive forensics investigation over the past couple of months, which was completed last week, leaving Tsai free to post about and discuss the issue.