Apr 26, 2016 3:45 PM PT
A white hat hacker last week announced the discovery of more than a half-dozen security flaws in some software Facebook used on its corporate network.
While performing penetration testing of some third-party software in a network appliance Facebook used, Orange Tsai, a security researcher for Devcore, discovered seven vulnerabilities that attackers could use to compromise a system, as well as a backdoor script left by someone else who’d penetrated the network.
The researcher was conducting tests as part of Facebook’s bug bounty program. After reporting the findings to Facebook, he received US$10,000 for his efforts.
The company no longer uses the software Tsai tested, and it was never part of the systems that run Facebook, including the systems that host the data people share on the site, the company said.
As for the traces of a backdoor the researcher found, “we conducted a thorough investigation and determined that the activity Orange detected actually was another security researcher that was also participating in our bug bounty program and who was testing the same third-party software,” said a statement provided to TechNewsWorld by Facebook spokesperson Jay Nancarrow.
Facebook’s explanation of the back door makes the discovery relatively benign, noted Ben Desjardins, director of security solution marketing at Radware.
“Facebook is claiming the proxy login page was actually set up by another white hat hacker, essentially saying two ethical hackers bumped into each other while trying to penetrate the network,” he told TechNewsWorld. “If so, it’s likely little or no harm was done.”
Even if the vulnerabilities Tsai found had led to compromised credentials, it would have been difficult for black hats to authenticate themselves on Facebook’s systems because of two-factor authentication, which typically requires a code sent to a mobile phone in addition to a username and password to log in to a system.
“Without two-factor authentication, a hacker could use stolen credentials to navigate the network and traverse to all the critical servers,” said Ajit Sancheti, CEO of Preempt Security.
“Credential theft drives a majority of data breaches,” he told TechNewsWorld. “If my credentials are compromised and someone is able to get in to my network, then they’ll have access that will get them to most places on a network.”
Nevertheless, the seven vulnerabilities discovered in the software in the Accellion Secure File Transfer appliance Facebook used are nothing to be ignored, noted Jean-Philippe Taggart, a senior security researcher with Malwarebytes Labs.
“I would classify these vulnerabilities as serious indeed,” he told TechNewsWorld.
“What was even more worrisome is that this researcher found evidence of another compromise, performed by a malicious actor in the form of malicious toolsets. He analyzed these and showed that they were attempting to harvest credentials,” Taggart added.
“The ultimate goal would have been establishing a beachhead into the internal Facebook network,” he noted. “Then the natural progression would be to pivot through the network while attempting to gather credentials and exfiltrate valuable information.”
Bigger Threats Ahead?
Hackers need not penetrate Facebook’s corporate servers to steal valuable intellectual property, noted Danny Rogers, CEO of Terbium Labs.
“We’ve seen elements of Facebook source code leaked to the Internet,” he told TechNewsWorld. “Most of it is inadvertently leaked by Facebook developers.”
Developers often post snips of code online when seeking help from other developers in solving a programming problem, Rogers said.
“People can piece together those snips into significant chunks of Facebook source that includes things like database credentials, which can be used to develop more serious exploits,” he said.
Companies don’t have to be in the social media business to learn from Tsai’s methods and Facebook’s support of the researcher, Taggart noted. Enterprises should set up bug bounty programs and hire penetration testers to check on the strength of defenses.
“Having a completely external entity look at your infrastructure is the closest you can get to the mindset of an actual attacker,” he said. “This exercise allowed Facebook to better secure this application and boot out a genuine malicious actor who was intent on collecting Facebook staff credentials.”