Slashdot Mirror

← Back to Stories (view on slashdot.org)

'I Hacked Facebook -- and Found Someone Had Beaten Me To It' (theregister.co.uk)

Posted by msmash on from the you're-not-Facebook's-first dept.

An anonymous reader shares an article on The Register: A bug bounty hunter compromises a Facebook staff server through a sloppy file-sharing webapp -- and finds someone's already beaten him to it by backdooring the machine. The pseudo-anonymous penetration tester Orange Tsai, who works for Taiwan-based outfit Devcore, banked $10,000 from Facebook in February for successfully drilling into the vulnerable system. According to Tsai, he or she stumbled across malware installed by someone else that was stealing usernames and passwords of FB employees who logged into the machine. The login credentials were siphoned off to an outside computer. According to Facebook security engineer Reginaldo Silva, the password-slurping malware was installed by another security researcher who had earlier poked around within Facebook's system in an attempt to snag a bug bounty.

28 of 51 comments (clear)

  1. Makes sense by fustakrakich · · Score: 1

    May as well exploit the the machine for a while before revealing the bug.

    --
    “He’s not deformed, he’s just drunk!”
    1. Re:Makes sense by Anonymous Coward · · Score: 1

      You have to in order to claim the bounty.

      Corporations have a long history of refusing to cough up the cash in bug bounties (or worse, siccing the authorities on the bug bounty hunter). So to protect themselves (and to prove the bug exists), the "official" way to report bug bounties is to steal a bunch of data, rig it to be released to the public in the event the bug bounty hunter fails to "check in" every so often and THEN report it, just in case the company decides to renege on the deal.

    2. Re: Makes sense by liqu1d · · Score: 2

      "Fails to check in"? Suddenly bug bounties sound a lot more sinister than they used to :/.

    3. Re: Makes sense by Anonymous Coward · · Score: 1

      nah, Just five years ago I was threatened by the same person who personally authorized me to hack their organization for 5 grand prize that they're gonna sue me if I keep digging. still hurts. what hurts more is that the vulnerabilites are still there. on all the damn servers. the fucking tftp is still open to the world

    4. Re: Makes sense by Anonymous Coward · · Score: 2, Funny

      Ip address? Just so I can verify your story is true...

    5. Re: Makes sense by radiumsoup · · Score: 1

      you got that authorization in writing, though, right? ...right???

    6. Re: Makes sense by silentcoder · · Score: 1

      They dont call it a "dead man's switch" for nothing.

      --
      Unicode killed the ASCII-art *
  2. Yet another Accellion file appliance hack by Anonymous Coward · · Score: 1

    http://www.nirgoldshlager.com/2013/01/how-i-hacked-facebook-employees-secure.html

    It amazes me that despite all of their problems, so many companies still trust Accellion. I think our installation was $50k.

    1. Re:Yet another Accellion file appliance hack by Anonymous Coward · · Score: 1

      Yeah google for soggycat, this shit's been vulnerable since 2011. This isn't a FB vuln, it's 100% Accellion. What a piece of shit appliance. I'm in the wrong business, I should create a "cloud file upload service" with no security and sell it as an enterprise solution for $50K apiece.

    2. Re:Yet another Accellion file appliance hack by Z34107 · · Score: 5, Informative

      Holy shit, you weren't kidding. Quoting selected bugs:

      • The appliance ships with UDP port 8812 allowed through the firewall. The port correlates to an internal service that routes messages between backend processes. To authenticate access to this service, all messages must be encrypted with a secret key [...] These two default keys are 123456789ABCDEF0123456789ABCDEF0 and 0123456789ABCDEF0123456789ABCDEF.
      • One of the applications that is exposed through the port 8812 message routing service executes a system command without sanitizing the arguments provided by the requesting application. This allows arbitrary commands to be executed on the appliance. Combined with Issue #1, this allows remote, unauthenticated command execution on the appliance as the "soggycat" user, which is root equivalent
      • The secure shell daemon is running by default and the system is configured with static passwords for a number of root-equivalent accounts. The "soggycat" user account [...] also has two SSH keys configured for passwordless login. These keys were generated over eight years ago.
      • All internal services communicate through UDP services bound to the 0.0.0.0 address. This exposes the internal workings of the appliance to an attacker with network access to the system. For example, a local user account without administrative rights would still be able to escalate privileges by communicating with these internal services.
      • The rsync daemon allows read/write access to the "soggycat" home directory. Since this user account is root-equivalent, any attacker than talk to the rsync daemon can take full control of the appliance.

      This is amateur hour, though still better than what runs our power grid and water treatment plants.

      --
      DATABASE WOW WOW
    3. Re:Yet another Accellion file appliance hack by HappyHackerness · · Score: 1

      When ShellShock hit, Accellion was the *LAST* vendor of the many I deal with to patch their product. The LAST. That's pretty sad for a web-facing security product. Shame on them.

  3. cat tongues are like sandpaper by rmdingler · · Score: 4, Funny

    If the universe is indeed a clever simulation, are you now discovering a hack with a hack in a universe that's been hacked and hacked until it resembles an infinity mirror?

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

    1. Re:cat tongues are like sandpaper by Anonymous Coward · · Score: 1

      Electric sheep dream of me.

  4. A $10,000 reward is peanuts in this context. by BarbaraHudson · · Score: 1

    $10,000 is peanuts for the login credentials of a ton of facebook employees.

    In today's Internet, Facebook hacks YOU!

    --
    "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    1. Re:A $10,000 reward is peanuts in this context. by phantomfive · · Score: 1

      Yeah. That's why the previous hackers decided to steal credentials instead of reporting it.

      --
      "First they came for the slanderers and i said nothing."
  5. SSH keys by NotInHere · · Score: 2

    Yet another reason why SSH password based authentication is so bad. Both SSH agent forwarding and SSH password based auth are best disabled. Then they can't intercept anything.

  6. "Security Researcher"? Really? by Frosty+Piss · · Score: 4, Interesting

    According to Facebook security engineer Reginaldo Silva, the password-slurping malware was installed by another security researcher who had earlier poked around within Facebook's system in an attempt to snag a bug bounty.

    And this is why I have a problem with this whole "terminology" of the so-called "security researcher". Facts are facts and who ever it was that installed and left malware that "slurped" passwords and usernames clearly was not a "security researcher", but rather a run-of-the-mill hacker , or call him (almost certainly a him) what every you want, but NOT a "security researcher".

    --
    If you want news from today, you have to come back tomorrow.
    1. Re:"Security Researcher"? Really? by Frosty+Piss · · Score: 4, Insightful

      Don't call him hacker either after all "hacker" is a positive term...

      You know as well as I do that is "politically correct" garbage. Good or bad, a hacker is a hacker, and "cracker" is a made-up term. Now, if you want to assign hat color (white, black), feel free. But please do give me this crap that a "black hat" hacker is not a hacker but rather something else because you want to reserve the Hip And Trendy term hacker for yourself... Seriously. That's bullshit.

      --
      If you want news from today, you have to come back tomorrow.
    2. Re:"Security Researcher"? Really? by NotInHere · · Score: 1

      Same argumentation works for "Security Researcher" too. The evil russians who built the nuclear bombs were "researchers" too. And only because the commercial criminal who hacked into the facebook servers wasn't a white hat we shouldn't be prevented from calling him security researcher.

    3. Re:"Security Researcher"? Really? by phantomfive · · Score: 2

      Good points. A hacker can be good, or a hacker can be bad.

      --
      "First they came for the slanderers and i said nothing."
    4. Re: "Security Researcher"? Really? by Bob_Who · · Score: 1

      .... A cracker also known as a black hat is someone that does this.....

      Aren't crackers white?

  7. Nope. In this, you and the majority loses. by Anonymous Coward · · Score: 1

    Nope. Hat colour is a sign that the guys using the term have forgotten what it means entirely and are now just as confused as you always were. The problem with the security industry is that it's a bunch of script kiddies. Nothing more. There is no depth at all in the industry anywhere. Hence, no success except make-believe.

    They are not hackers in any sense. Not a hacker in the older positive sense. Not a hacker in the "look ma Ima bein k-rad kewl wif ma komputor" poser sense for it no longer means anything at all -- see "hat colour". Not "researcher", since they're just doodling along. Not "scientist" since computer science already isn't and computer security science much less so, amazing how that is possible. (Go on, ask Abelson and Sussman how that works.)

    So your use is in fact the "hip and trendy" bullshit, incited by hollywood and breathless but content-free reporting and marketeering, including the "ETHICAL" shouting match and the hat colour shtick. Hacker in the original sense was a meritocratic term, but has been smudged into unusability. Note that anybody calling themselves a hacker already were posers under the old term. We just have many more posers now, o child of '93. Hacker in the "dodgy stuff with a computer" sense always was the tool of the computer-illiterate wannabe, the script kiddie, the poser, the reporter, the nitwit. In that sense, hacker is very meta-useful, for it instantly tells us what you are. We know now, so thanks for that, I suppose.

    1. Re:Nope. In this, you and the majority loses. by Your.Master · · Score: 1

      I know this is a bold claim from somebody that's merely 31 years old, but no, that etymology does not hold. The word hacker was always at best neutral, and that's a stretch -- it was realistically negative, albeit usually carrying the implication of shoddy worksmanship rather than a malicious intruder. The notion of hacker as meaning a black-hat goes back at least 40 years.

    2. Re:Nope. In this, you and the majority loses. by phantomfive · · Score: 1

      I know this is a bold claim from somebody that's merely 31 years old, but no, that etymology does not hold. The word hacker was always at best neutral, and that's a stretch -- it was realistically negative,

      It would be a more believable claim if you had cited evidence to back it up, but instead for some reason you gave us reasons not to believe you. It's like you're debating yourself!

      The notion of hacker as meaning a black-hat goes back at least 40 years.

      The notion of a hacker as a positive thing, someone who tries to deeply understand the system, goes back 50 or 60 years (look up the TMRC or even look for 'hacker' in the jargon dictionary for a citation).

      --
      "First they came for the slanderers and i said nothing."
    3. Re:Nope. In this, you and the majority loses. by Hognoxious · · Score: 1

      I know some people use it more widely, but I always thought it referred specifically to the writing profession - novelists, journalists etc.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  8. Euwww! by Hognoxious · · Score: 1

    He got sloppy seconds!

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  9. 2 things by AndyKron · · Score: 1

    Aren't poking around in a system, and slurping passwords two different things?

    1. Re:2 things by Bob_Who · · Score: 1

      Aren't poking around in a system, and slurping passwords two different things?

      Poking and slurping both sound a bit kinky. But snorting passwords is definitely illicit.