In light of the whole FBI vs. Apple fiasco, many big-name tech companies beefed up their encryption and security practices. Facebook was among those companies, and probably the one that was the most vocal about it. But it looks like Facebook’s big push for security may have been too little, too late.
According to Taiwan-based security company, Orange Tsai, Facebook’s server may have been the target of a frightening hack. A consultant at the security firm located malware that granted him access to the passwords and login credentials for Facebook employees, which provided access to their emails, and shared network files.
So far, it doesn’t appear that any of Facebook’s users were impacted by the hack, or that any of their information has been stolen.
The vulnerability was identified when the consultant noticed Accellion’s web-based Secure File Transfer program on the company’s network. This file transfer service has caused problems in the past for other big-name companies, since it was found to have many security issues.
From there, the consultant looked into other potential vulnerabilities, and found that there were significant gaps in the system. Including a SQL injection flaw that allowed for code to be inserted remotely.
In response to the recent discovery, Facebook’s security team issued a statement explaining it does not have complete control over the Accellion software, and for that reason, only runs this software on a few isolated systems.
But perhaps the most worrisome part of this story is that the consultant at Orange Tsai was able to gain access to Facebook’s servers to begin with. Yet, Facebook appears to be shrugging it off, explaining that the original breach Orange discovered occurred from one of its bounty programs.
“We determined that the activity Orange detected was in fact from another researcher who participates in our bounty program,” said a Facebook representative. “Neither of them were able to compromise other parts of our infra-structure so, the way we see it, it’s a double win. Two competent researchers assessed the system, one of them reported what he found to us and got a good bounty, none of them were able to escalate access.”
What do you think? Is this really a good thing like Facebook says? Or has it opened doors for even larger threats? Let us know in the comments.