'I Hacked Facebook -- and Found Someone Had Beaten Me To It'

An anonymous reader shares an article on The Register: A bug bounty hunter compromises a Facebook staff server through a sloppy file-sharing webapp -- and finds someone's already beaten him to it by backdooring the machine. The pseudo-anonymous penetration tester Orange Tsai, who works for Taiwan-based outfit Devcore, banked $10,000 from Facebook in February for successfully drilling into the vulnerable system. According to Tsai, he or she stumbled across malware installed by someone else that was stealing usernames and passwords of FB employees who logged into the machine. The login credentials were siphoned off to an outside computer. According to Facebook security engineer Reginaldo Silva, the password-slurping malware was installed by another security researcher who had earlier poked around within Facebook's system in an attempt to snag a bug bounty.

cat tongues are like sandpaper

[rmdingler]

If the universe is indeed a clever simulation, are you now discovering a hack with a hack in a universe that's been hacked and hacked until it resembles an infinity mirror?

"Security Researcher"? Really?

[Frosty+Piss]

According to Facebook security engineer Reginaldo Silva, the password-slurping malware was installed by another security researcher who had earlier poked around within Facebook's system in an attempt to snag a bug bounty.

And this is why I have a problem with this whole "terminology" of the so-called "security researcher". Facts are facts and who ever it was that installed and left malware that "slurped" passwords and usernames clearly was not a "security researcher", but rather a run-of-the-mill hacker , or call him (almost certainly a him) what every you want, but NOT a "security researcher".

Re:"Security Researcher"? Really?

[Frosty+Piss]

Don't call him hacker either after all "hacker" is a positive term...

You know as well as I do that is "politically correct" garbage. Good or bad, a hacker is a hacker, and "cracker" is a made-up term. Now, if you want to assign hat color (white, black), feel free. But please do give me this crap that a "black hat" hacker is not a hacker but rather something else because you want to reserve the Hip And Trendy term hacker for yourself... Seriously. That's bullshit.

Re:Yet another Accellion file appliance hack

[Z34107]

Holy shit, you weren't kidding. Quoting selected bugs:

• The appliance ships with UDP port 8812 allowed through the firewall. The port correlates to an internal service that routes messages between backend processes. To authenticate access to this service, all messages must be encrypted with a secret key [...] These two default keys are 123456789ABCDEF0123456789ABCDEF0 and 0123456789ABCDEF0123456789ABCDEF.
• One of the applications that is exposed through the port 8812 message routing service executes a system command without sanitizing the arguments provided by the requesting application. This allows arbitrary commands to be executed on the appliance. Combined with Issue #1, this allows remote, unauthenticated command execution on the appliance as the "soggycat" user, which is root equivalent
• The secure shell daemon is running by default and the system is configured with static passwords for a number of root-equivalent accounts. The "soggycat" user account [...] also has two SSH keys configured for passwordless login. These keys were generated over eight years ago.
• All internal services communicate through UDP services bound to the 0.0.0.0 address. This exposes the internal workings of the appliance to an attacker with network access to the system. For example, a local user account without administrative rights would still be able to escalate privileges by communicating with these internal services.
• The rsync daemon allows read/write access to the "soggycat" home directory. Since this user account is root-equivalent, any attacker than talk to the rsync daemon can take full control of the appliance.

This is amateur hour, though still better than what runs our power grid and water treatment plants.