This is Reginaldo from the Facebook Security team. We're really glad Orange reported this to us. On this case, the software we were using is third party. As we don't have full control of it, we ran it isolated from the systems that host the data people share on Facebook. We do this precisely to have better security, as chromakode mentioned. After incident response, we determined that the activity Orange detected was in fact from another researcher who participates in our bounty program. Neither of them were able to compromise other parts of our infra-structure so, the way we see it, it's a double win: two competent researchers assessed the system, one of them reported what he found to us and got a good bounty, none of them were able to escalate access.
It's buried in the bottom of the post, but I'm happy to see that Facebook paid a bug bounty of $10,000 for this. In the past we've seen Facebook refuse to pay bug bounties when the hacker goes beyond scope. Interesting that going beyond the usually scope of bug bounties actually discovered a latent exploit and <i>helped</i> Facebook. Maybe this will result in change of policies for bounty scope.
I'm not sure I understand some of the comments here claiming that 10k is not enough money for this. It clearly is enough money because Orange found the problem and reported it.<p>These arguments always remind me of people claiming that certain professions are not paid enough. They forget that there is a market for labor and in this case the labor is finding vulnerabilities. People will either be willing to work for the posted price or not. In the case of pen testing facebook I'd be willing to bet there are plenty of people out there looking for bugs who aren't even really concerned with what the final payout is going to be.<p>Yeah, they could have gotten completely owned if he didn't report this. But to him reporting it and getting 10k in compensation was sufficient. Why would facebook pay him a million if he was willing to take 10k?
I really think 10,000 for serious exploits like these is just not enough money. Even if OP only spent an hour or two on finding this out (although highly unlikely), they should pay based on seriousness/potential damage of the bug. Great writeup though. Super interesting stuff.
This isn't the first time files.fb.com has been publicly reported as having been breached: <a href="http://www.nirgoldshlager.com/2013/01/how-i-hacked-facebook-employees-secure.html" rel="nofollow">http://www.nirgoldshlager.com/2013/01/how-i-hacked-facebook-...</a> .
Nice write up. Of course, this would be the team member whose photo is merely an Orange. Paranoid security people haha...<p>Part that jumped out at me, aside from obvious goodies, was this:<p>"FTA is a product which enables secure file transfer, online file sharing and syncing, as well as integration with Single Sign-on mechanisms including AD, LDAP and Kerberos"<p>...followed by...<p>"...web-based user interfaces were mainly composted of Perl & PHP... PHP source codes were encrypted by IonCube... lots of Perl Daemons in the background"<p>Wow. That inspires a lot of confidence in the "secure" product. I'd have doubted Facebook relied on such a system had I not known they built their empire on PHP. We all know its reputation. Their "secure, file-transfer appliance" fits right in.
Nice work, very detailed.
However this is hack of Accellion’s Secure File Transfer.
How should Facebook, or anyone for that matter, protect themselves in these cases?
I mean other then some obvious ones like not running as root, limiting file access, limiting network access to other servers...
This is the same researcher that found a RCE in Uber: <a href="https://hackerone.com/reports/125980" rel="nofollow">https://hackerone.com/reports/125980</a><p>Shameless plug but if you like that kind of articles I suggest signing to my newsletter: <a href="http://bugbountyweekly.com" rel="nofollow">http://bugbountyweekly.com</a>. A free, once–weekly e-mail round-up of news and articles about Bug Bounty.
If there is someone to be upset with in this situation its accellion the vendor who backs files.fb.com.<p>Looking at how egregious their security mistakes are they dont appear to take security seriously.<p>This is the same company that (last I was down there) had a billboard on 101 that says "Secure".<p>Many echos of oracles "unbreakable" ad campaign while being an aggressively bad at security company
So Wes got only 2.5K after successfully proved he could access signing and api keys,after he was threatened with a lawsuit.<p>How does setting up a shell and collecting credentials and then downloading them later give you a pat on the back?<p>Is this some kind of a joke?
So since they were unable to pivot laterally, you pat them on the back and call it a win. But last time someone did successfully pivot laterally, you threatened his employer? You guys are really sending mixed messages! Are they allowed to escalate or not? And if that's the new policy, shouldn't you pay the other guy who did escalate?