A security researcher who managed to hack through the security of one of Facebook’s corporate networks said he found evidence of another hacker having been there too, and having installed a backdoor to steal employees’ credentials.
Penetration tester Orange Tsai, of Taiwanese cybersecurity firm Devcore, said the other hacker had set up a tool to collect and exfiltrate Facebook employees’ usernames and passwords as they logged in.
He himself got in by exploiting vulnerabilities in third-party software, from a company called Accellion, that is used for file transfers.
Tsai reported the vulnerabilities and his findings to Facebook, and got paid $10,000 under the company’s “Bug Bounty” scheme.
On Hacker News, a member of Facebook’s security team thanked Tsai and claimed the other hacker in question was also a well-meaning individual trying to collect money under Facebook’s bug-hunting program.
“Neither of them were able to compromise other parts of our infrastructure so, the way we see it, it’s a double win: two competent researchers assessed the system, one of them reported what he found to us and got a good bounty, none of them were able to escalate access,” Reginaldo Silva wrote.
Silva also said that, because it had been using third-party software that it could not control, it had run the software “isolated from the systems that host the data people share on Facebook.”
“We do this precisely to have better security,” he noted.
Facebook had not responded to a request for comment at the time of writing.