A Taiwan-based security researcher, known as "Orange Tsai," who was awarded a $10,000 bug bounty in February published a report detailing the exploits that led to his discovery of illicit code on a Facebook server.
A consultant at the security firm Devcore, Orange Tsai said he discovered malware that provided access to Facebook employee's passwords, which had been used by a remote attacker to gain access to employee emails and shared files.
The accessed information appears not to have compromised Facebook users. The researcher wrote that he noticed that Facebook's server used Accellion's web-based Secure File Transfer service, a web application that, while popular among large companies like Facebook, has previously been found to contain serious security issues.
This caught the researcher's attention, and led him to look for potential vulnerabilities in the file transfer application. He ultimately discovered several vulnerabilities, including a SQL injection flaw that enabled remote code execution. Accellion patched the vulnerability in February.
A member of Facebook's security group wrote on Hacker News that Facebook did not have full control of the software, so it was run isolated from systems that host the company's user data. “We do this precisely to have better security, wrote Reginaldo, the Facebook employee. “After incident response, we determined that the activity Orange detected was in fact from another researcher who participates in our bounty program.”
Once Orange Tsai gained access to Facebook's server, he explored the web server log files and noticed an unusual traffic pattern, which led to his discovery of the illicit code.
Reginaldo at Facebook continued, “After incident response, we determined that the activity Orange detected was in fact from another researcher who participates in our bounty program. Neither of them were able to compromise other parts of our infra-structure so, the way we see it, it's a double win: two competent researchers assessed the system, one of them reported what he found to us and got a good bounty, none of them were able to escalate access.”
The situation is reminiscent of another incident Facebook faced last year, in which the company claimed that security researcher Wesley Wineberg unethically exploited a flaw to escalate another vulnerability.
In speaking with SCMagazine.com, Wineberg, a security consultant at Synack, said, “This researcher did exactly what I did.” However, the company has since updated its policy to explicitly prohibit researchers from escalating exploits in this way.
Wineberg said he finds it encouraging to see that “they are changing how they deal with researchers.”