Security researcher finds major backdoor script on Facebook's server

Mumbai: It’s a dream for any hacker to bypass Facebook’s internal network; while some of them track and monitor the social network site to earn big bounties other grey or black hat hackers have a more malicious rationale.

In a recent revelation, a security researcher from Taiwanese security vendor Devcore ‘accidentally discovered’ a backdoor script planted in one of Facebook’s corporate servers.

Orange Tsai, a security researcher and bug-bounty hunter, was looking to hack the social networking site to find other security vulnerabilities/ bugs to earn bounty from the company; however, he ended up discovering something which was far more than a minor error.

A report on Hackernews pointed out that Sai initially scanned FB’s IP address which led him to the files.fb.com domain—the one hosting a vulnerable version of the secure file transfer application (FTA) made by Accellion and was used by employers for file sharing and collaboration.

After analysing the susceptible FTA, he discovered seven security flaws which included three cross-site scripting (XSS) flaws, two remote code execution flaws, and two local privilege escalation issues.

Later, Tsai used the vulnerabilities he came across in the Accelion secure FTA and gained access to Facebook’s server.

Just as Tsai started preparing his report on the number of bugs he had discovered on the server, he spotted a malicious PHP-based backdoor or PHP web shell. This harmful data retriever must have been installed on the server by some hacker.

While the corporate server has no ties with the social networking site’s main servers, it is still a major source of information for any malicious hacker.

After reporting the incident, Tsai was awarded $10,000 (approximately Rs 6,70,000) by Facebook for his efforts.

You can read Orange Tsai’s blog for a detailed narration on this link.