That’s the most commonly asked question during this decade.
It’s a hacker dream to hack Facebook website for earning bug bounty or for any malicious purpose.
Facebook security team recently found that someone, probably a blackhat hacker with malicious intent, has breached into its server and installed a backdoor that was configured to steal Facebook employees' login credentials.
Since the backdoor discovered in the Facebook’s corporate server, not on its main server, Facebook user accounts are not affected by this incident.
Though the company would have never known about the backdoor if a whitehat hacker had never spotted the backdoor script while hunting for vulnerabilities.
Also Read: Ever Wondered How Facebook Decides, How much Bounty Should be Paid?
Security researcher Orange Tsai of Taiwanese security vendor DEVCORE accidentally came across a backdoor script on one of Facebook’s corporate servers while finding bugs to earn cash reward from Facebook.
Tsai scanned Facebook's IP address space that led him to the files.fb.com domain that was hosting a vulnerable version of the Secure File Transfer application (FTA) made by Accellion and was used by Facebook employees for file sharing and collaboration.
Tsai analyzed the vulnerable FTA and discovered seven security flaws as he explained in his blog post:
- 3 Cross-site scripting (XSS) flaws,
- 2 Remote code execution flaws,
- 2 Local privilege escalation issues.
The researcher then used the vulnerabilities he found in the Accellion Secure FTA and gained access to Facebook's server.
After successfully achieving his goal, Tsai started analyzing logs information available on the Facebook’s server for preparing his bug report, and that is exactly when he spotted a PHP-based backdoor, popularly known as a PHP Web shell, that had possibly been installed on the server by a malicious hacker.
Tsai then reported all of his findings to the Facebook security team, which rewarded him with $10,000 (€8,850) for his efforts and started its own forensics investigation that was completed this month, allowing the researcher to disclose the vulnerabilities responsibly.