
How I Hacked Facebook and Found Someone's Backdoor Script - phwd
http://devco.re/blog/2016/04/21/how-I-hacked-facebook-and-found-someones-backdoor-script-eng-ver/
======
reginaldo
This is Reginaldo from the Facebook Security team. We're really glad Orange
reported this to us. On this case, the software we were using is third party.
As we don't have full control of it, we ran it isolated from the systems that
host the data people share on Facebook. We do this precisely to have better
security, as chromakode mentioned. After incident response, we determined that
the activity Orange detected was in fact from another researcher who
participates in our bounty program. Neither of them were able to compromise
other parts of our infra-structure so, the way we see it, it's a double win:
two competent researchers assessed the system, one of them reported what he
found to us and got a good bounty, none of them were able to escalate access.

~~~
peterwwillis
_" As we don't have full control of it, we ran it isolated from the systems
that host the data people share on Facebook."

"Neither of them were able to compromise other parts of our infra-structure
so, the way we see it, it's a double win: two competent researchers assessed
the system, one of them reported what he found to us and got a good bounty,
none of them were able to escalate access."_

From the write-up:

> After checking the browser, the SSL certificate of files.fb.com was *
> __.fb.com …

You left a wildcard cert on this random internet-facing unaudited 3rd party
linux box with no protection against data exfiltration, or an HTTPS proxy in
front of it, or anything? I know it's not as critical as facebook.com, but
this is still bad. Priv escalation CVEs for Linux come out like every month.

At the very least, using this cert, anyone could run a MITM on any * __.fb.com
service and compromise without ever breaking in. From the article that could
include VPNs, Outlook Webmail, Oracle E-business and MobileIron. I 'm hoping
you did actually have a proxy in front of it and Orange just didn't catch
that.

~~~
brians
Figure that was probably a CDN, and you don't know the origin configuration

~~~
peterwwillis
I hope it was. But if it and the other services Orange found are just random
internet-facing appliances, it's unlikely they would configure a CDN to get
access, because CDNs are for public traffic typically. Nobody uses a CDN to
open their outlook web mail to the Internet, for example. But they might have
had a regular SSL proxy in front.... maybe.

------
chatmasta
It's buried in the bottom of the post, but I'm happy to see that Facebook paid
a bug bounty of $10,000 for this. In the past we've seen Facebook refuse to
pay bug bounties when the hacker goes beyond scope. Interesting that going
beyond the usually scope of bug bounties actually discovered a latent exploit
and _helped_ Facebook. Maybe this will result in change of policies for bounty
scope.

------
dopamean
I'm not sure I understand some of the comments here claiming that 10k is not
enough money for this. It clearly is enough money because Orange found the
problem and reported it.

These arguments always remind me of people claiming that certain professions
are not paid enough. They forget that there is a market for labor and in this
case the labor is finding vulnerabilities. People will either be willing to
work for the posted price or not. In the case of pen testing facebook I'd be
willing to bet there are plenty of people out there looking for bugs who
aren't even really concerned with what the final payout is going to be.

Yeah, they could have gotten completely owned if he didn't report this. But to
him reporting it and getting 10k in compensation was sufficient. Why would
facebook pay him a million if he was willing to take 10k?

~~~
Certhas
There is no free market of labour. Under penalty of death you are forced to
sell your labour. Ultimate buyers market.

~~~
oconnor663
Companies die without employees too!

A little more seriously, somehow we have to find language for different types
of coercion. Otherwise we'll end up lumping the whole complicated world into
one lump.

------
volkk
I really think 10,000 for serious exploits like these is just not enough
money. Even if OP only spent an hour or two on finding this out (although
highly unlikely), they should pay based on seriousness/potential damage of the
bug. Great writeup though. Super interesting stuff.

~~~
dev1n
common response to why companies don't pay a ton of money for these exploits
[1]

[1]:
[https://news.ycombinator.com/item?id=11249173](https://news.ycombinator.com/item?id=11249173)

~~~
arcticfox
And I still think that line of thinking is bullshit.

The bottom line is that the dollar value for this stuff is arbitrary, and
Facebook arbitrarily picking $10,000 for getting COMPLETELY OWNED and exposing
any selection of personal data (in the case of the other bug, this one seems
to have the potential to be even worse due to credential stealing, although
it's murkier) is pretty gross IMO.

I don't know what the number should be - again, it's arbitrary - but in my
personal book $10,000 is about 10x too low.

~~~
tptacek
Facebook didn't get COMPLETELY OWNED. A third party product they were using
for some backend line of business process that lived in a DMZ got COMPLETELY
OWNED, and the researchers were unable to escalate privileges beyond it.

~~~
thezilch
Doesn't Facebook's policy prohibit privilege escalation? The write the
following:

 _You do not exploit a security issue you discover for any reason. (This
includes demonstrating additional risk, such as attempted compromise of
sensitive company data or probing for additional issues.)_ [0]

It's no wonder other bounty researchers didn't find further vectors for
exploiting their privileges. There was a researcher not too long ago hit by
the book for this.

[0] [https://www.facebook.com/whitehat](https://www.facebook.com/whitehat)

~~~
tptacek
That's an oversimplification. What actually happened was: a researcher found a
serverside bug in a random backend box, got RCE, logged in, _scraped and
banked all the creds off the box_ , reported the bug, and then a month later
during a dispute used the creds he stored to attack other Fb properties.

Dumping directories from machines and banking their creds isn't "escalating
privileges". If you did that on a pro red team project, saving the creds to
use a month or two later, you'd get fired.

~~~
thezilch
The case (or however one wants to construe what or how things really happened)
isn't too interesting to me. Do you read FB's whitehat rules of engagement
differently?

I dug up the mentioned case, and FB's first contact with the researcher
included, "Please be mindful that taking additional action after locating a
bug violates our bounty policy." Between FB's whitehat policies and that, I'd
be pretty sure not to escalate privileges.

~~~
tptacek
Me too.

------
sveiss
This isn't the first time files.fb.com has been publicly reported as having
been breached: [http://www.nirgoldshlager.com/2013/01/how-i-hacked-
facebook-...](http://www.nirgoldshlager.com/2013/01/how-i-hacked-facebook-
employees-secure.html) .

------
nickpsecurity
Nice write up. Of course, this would be the team member whose photo is merely
an Orange. Paranoid security people haha...

Part that jumped out at me, aside from obvious goodies, was this:

"FTA is a product which enables secure file transfer, online file sharing and
syncing, as well as integration with Single Sign-on mechanisms including AD,
LDAP and Kerberos"

...followed by...

"...web-based user interfaces were mainly composted of Perl & PHP... PHP
source codes were encrypted by IonCube... lots of Perl Daemons in the
background"

Wow. That inspires a lot of confidence in the "secure" product. I'd have
doubted Facebook relied on such a system had I not known they built their
empire on PHP. We all know its reputation. Their "secure, file-transfer
appliance" fits right in.

------
6stringmerc
Article is exactly as headline advertised, and a well-laid out write-up. Neat
to come across it.

------
TheGuyWhoCodes
Nice work, very detailed. However this is hack of Accellion’s Secure File
Transfer. How should Facebook, or anyone for that matter, protect themselves
in these cases? I mean other then some obvious ones like not running as root,
limiting file access, limiting network access to other servers...

~~~
chromakode
Reason about the software as if it has already been compromised. Think about
how user credentials and private keys the server touches can be used to attack
other internal services, and try to limit the scope as much as possible.

~~~
tptacek
Which is apparently exactly what Facebook does with this thing.

~~~
Guvante
To be fair it looks like they aren't purely using SSO which is what provided
the credential scrapping attack vector that was used by someone else.

------
gillm4
I know nothing about pen testing, but this was very interesting and easy to
follow regardless. Thanks so much for sharing!

------
Techbrunch
This is the same researcher that found a RCE in Uber:
[https://hackerone.com/reports/125980](https://hackerone.com/reports/125980)

Shameless plug but if you like that kind of articles I suggest signing to my
newsletter: [http://bugbountyweekly.com](http://bugbountyweekly.com). A free,
once–weekly e-mail round-up of news and articles about Bug Bounty.

------
coldcode
Fascinating. Looking for a hackable system and finding someone beat you to it.

~~~
bediger4000
The author and Facebook, Inc are lucky that the earlier hacker was just a
regular spam criminal, not some bigtime "Nation-State Hacker". The Nation-
State Hacker probably would have been a great deal more careful and not left
easy-to-spot PHP backdoors lying around.

This also points out a weak area in our knowledge of hacking - how often does
a given exploit get rediscovered? This and other anecdotes show that it
happens at least once in a while. Prevalence of rediscovery could put lie to
the NSA's "NOBUS" assumption, though. So we're likely to never see the results
of such research.

------
morley
This is a great write-up. I know little about pen testing, yet I was able to
follow along easily.

------
utefan001
Seems like two factor authentication here would have helped.

~~~
jcoffland
How?

~~~
Torgo
Because the backdoor was logging fb developer credentials. The stolen creds
would not be useful with two-factor required every time.

~~~
walls
If the attacker has control of the box, he can just man-in-the-middle a two-
factor token.

It would certainly require the attacker to be a little more proactive, but it
would hardly stop the credentials from being useful.

~~~
Matt3o12_
But he did not have access to the box with the 2FA. The attack just had access
to a box hosting software from a third party, completely isolated from FB's
infrastructure.

With the passwords, however, he might have gotten access to the VPN or
services. 2FA would have certainly helped.

This is of course only interesting if the passwords were reused (even the most
security minted folks do that). If a third party vendor does not support 2FA,
or when dealing with legacy code, it believe it is good practice to only use
randomly generated passwords by password managers.

------
libber
If there is someone to be upset with in this situation its accellion the
vendor who backs files.fb.com.

Looking at how egregious their security mistakes are they dont appear to take
security seriously.

This is the same company that (last I was down there) had a billboard on 101
that says "Secure".

Many echos of oracles "unbreakable" ad campaign while being an aggressively
bad at security company

------
frostymarvelous
So Wes got only 2.5K after successfully proved he could access signing and api
keys,after he was threatened with a lawsuit.

How does setting up a shell and collecting credentials and then downloading
them later give you a pat on the back?

Is this some kind of a joke?

------
ayben
emreayben23

------
edem
Why do you use so much emoticons in your article?

------
mxuribe
Quite clever find! Good write-up, too! Kudos!

------
ryanlol
Only $10000? What the hell do you have to find to qualify for that "million
dollar bug"?

~~~
fabulist
If you can find a way to use their backup tool to download an arbitrary user's
profile, and they don't pay you out at $1M, "BS" can be safely called.

------
lawnchair_larry
So since they were unable to pivot laterally, you pat them on the back and
call it a win. But last time someone did successfully pivot laterally, you
threatened his employer? You guys are really sending mixed messages! Are they
allowed to escalate or not? And if that's the new policy, shouldn't you pay
the other guy who did escalate?

~~~
tptacek
That's not what that person did, and you know that, because you were on the
thread where this was picked apart.

The person who had problems with Facebook didn't "pivot laterally".

He popped a shell, _dumped and banked directories from the server_ , held them
secretly, and used their contents more than a month after reporting the bug to
Facebook as a cudgel in a dispute over a bounty.

~~~
frostymarvelous
I just went to that thread, read both articles and the HN thread. Your post is
completely inaccurate.

------
oliverhands
i hacked facebook and someone saw me hacking and siad why are you hacking and
so that's how i hacked facebook

