Facebook tried to play down one incident of malware that was found in its corporate networks. One bug bounty hunter who managed to hack the security of the network found that another hacker had already been there and had installed malware that could steal employees data.
Orange Tsai, a Taiwanese cyber security firm (Devcore) employee, was the second hacker and said that when he penetrated the network, the first hacker had managed to set up a tool which was able to harvest Facebook employees usernames and passwords as long as they logged in.
He managed to infiltrate the security by using third party vulnerable software, from Ancellion which is used for file transfers. Under the bug bounty scheme that Facebook has in place for all white hat hackers, Tsai managed to bag $10,000 for himself after reporting the flaw.
One of the Facebook’s security team said he thanked Tsai for his contribution and said that the other bug bounty hacker was also a good person who was just doing his work and also trying to get money through the bug bounty program.
Reginaldo Silva, the engineer at Facebook said,
Neither of them was able to compromise other parts of our infrastructure so, the way we see it, it’s a double win: two competent researchers assessed the system, one of them reported what he found to us and got a good bounty, none of them were able to escalate access.
He also goes on to say people’s data on Facebook was safe because the hackers had used third party software that it could not control, thereby isolating the systems which host people’s data.
We do this precisely to have better security.
Facebook is yet to comment on the findings.