Like a lot of large tech companies, Facebook runs a bug bounty programme as a way of encouraging security researchers and other ethical hackers to find vulnerabilities that might otherwise be exploited by cyber criminals.
For the penetration tester who finds a flaw there’s a financial reward, plus the cachet of having hacked a well-known site. For the hacked organisation there’s the opportunity to patch security flaws without having to look for them.
And, in the case of Facebook, there’s also the (admittedly minor) benefit of another registered user – the social media giant requires researchers to join the network in order to report flaws.
Everyone’s a winner.
So, when penetration tester Orange Tsai of Devcore decided to have a go at Facebook’s bug bounty programme, he was pleased to uncover a number of vulnerabilities, including three instances of cross-site scripting, two local privilege escalation vulnerabilities, and a couple of issues that allowed remote code execution (RCE).
But this wasn’t all he found. As Orange explains:
While collecting vulnerability details and evidences for reporting to Facebook, I found some strange things on web log.
First of all I found some strange PHP error messages in “/var/opt/apache/php_error_log” These error messages seemed to be caused by modifying codes online?
I followed the PHP paths in error messages and ended up with discovering suspicious WEBSHELL files left by previous “visitors”.
That‘s right: someone else had already accessed the server, and had “created a proxy on the credential page to log the credentials of Facebook employees”.
Orange found evidence that “here were two periods that the system was obviously operated by the hacker, one in the beginning of July and one in mid-September”.
After some investigation, Facebook “determined that the activity Orange detected was in fact from another researcher who participates in our bounty program”, neither of whom had managed to compromise any other parts of Facebook’s infrastructure. Orange won $10,000 for his efforts.
Even tech giants are vulnerable
Facebook and other tech giants know that vulnerabilities are not the rarity that you might hope. (Indeed, according to Facebook’s bug bounty programme, 60 vulnerabilities, including this one, have been identified so far this year.) If organisations of this scale suffer security issues, how do you think your company would fare when attacked? Isn’t it time to find out?
Penetration testing – as advocated by information security best practice such as ISO 27001 – enables you to determine your system’s vulnerabilities by simulating an attack, and to use that information to undertake remedial measures. As new vulnerabilities and means of compromise are constantly discovered and used by criminals, it’s essential to ensure that you remain on top of your security practices.