Security researcher discovers backdoor script in hacking Facebook

Whitehathacker Orange Tsai discovered traces of a backdoor script on Facebook’s corporate servers. Through the script on the servers of the social media giant, hackers presumably managed to get their hands on passwords and usernames of employees.

Orange discovered the vulnerabilities by vetting Facebook’s domain names through a reverse whois search. He came across a domain name tfbnw.net, which stands for ‘The Facebook Network’. Then he discovered vpn.tfbnw.net, he writes on his blog.

He then searched further within the ip addresses of Facebook and found the domain files.fb.com between different class c ip addresses. The files domain was used by Facebook employees for file sharing via Accellion’s Secure File Transfer application FTA. Orange discovered a total of seven bugs in FTA and was able to further penetrate the servers of Facebook employees through the vulnerabilities.

By going through existing log data on the servers, Orange discovered that a PHP-based backdoor existed, also known as PHP Web Shell. This shell could have been set up by a hacker. The hack is said to have obtained the data of about 300 employees.

After Orange gathered enough information, he notified the Facebook Security Team. Orange received $10,000 for finding and reporting the bug. Orange itself works for a Taiwanese security firm Devcore.

Facebook later responded to Hacker News saying that the company does not have full control over all software. According to the Facebook employee, the systems would also be separate from other systems, or the systems used for the site itself. In the response, the Facebook employee makes it clear that what Orange discovered was the result of research by another security researcher who participates in Facebook’s bounty program.