

Employees Challenged To Crack Facebook Security, Succeed - ssclafani
http://techcrunch.com/2010/07/05/employees-challenged-to-crack-facebook-security-succeed/

======
pwim
Even though the title says the employees succeeded to bypass Facebook
security, it seems they did so by breaking into the user's home network.

It is not clear whether they actually got in due to bad security on Facebook's
part, or simply because they had access to the compromised computer.

~~~
thamer
True, they did break into his own network, but that wouldn't matter if
Facebook had a secure login page (SSL).

~~~
pwim
Facebook does appear to use SSL. If you look at the login form, they are
submitting to: <https://login.facebook.com/login.php?login_attempt=1>

~~~
wooster
Which means next to nothing if the page with the login form isn't encrypted. A
man in the middle attack would just replace the Facebook login page, and the
user would likely never notice.

------
eekfuh
Isn't this common? They are employees of the company so they should understand
different weaknesses of the code and should be able to exploit them.

When I was working at (huge tech company with 8000 employees) we did the very
same thing and we were able to get full root-access to our SAAS servers from
finding our .svn folders to get a full dump of the system code, then grepping
through that code to find system level exec commands.

I would be more surprised if they (facebook or the old company I worked for)
had found nothing.

------
GrandMasterBirt
Ok hold up. There is a BIG difference between TARGETED attacks like the one
described and security holes. A targeted attack like the one described will
work on ANY system PERIOD. Hell he may as well have had his bank accounted
hacked and complained to citi/chase/ing/etc. The point is such hacks are bogus
when it comes to "hacking facebook."

However such things are still useful since HE will be targeted if people
really want to hack FB. So then vuala they found a employee who is a
vulnerability and thus will try to close that hole.

I am more interested in hacking facebook from a pure-user perspective. Getting
information from a random user. See how far it can be taken. That is more
interesting. Saying that "if someone waiting to get hacked got hacked, then a
random joe will definately get hacked" is bogus. This sort of targeted attack
will get through most secure networks period.

