Unauthorized Entity Entered a Backdoor in Facebook’s Code

One good-guy hacker recently detected a server-side vulnerability that had not only existed for months, but that apparently had been successfully exploited by someone else multiple times.

In a blog post, a self-described "penetration tester" going by the moniker Orange Tsai found seven vulnerabilities, a few of which enabled him to take control of Facebook's servers.

In doing so, he found some PHP error messages that seemed to be caused by the unauthorized visitor. The other user apparently created a proxy on the credential page to steal the credentials of Facebook employees.

"And at the time I discovered these, there were around 300 logged credentials dated between February 1st to 7th, from February 1st, mostly '@fb.com' and '@facebook.com,'" Tsai wrote. "Upon seeing it I thought it's a pretty serious security incident."

Tsai alerted Facebook's security team to his findings early February, and said he received confirmation that Facebook would inspect the vulnerability.

He said he was asked not to disclose the exploit until Facebook completed its investigation on April 20.

Someone purportedly from Facebook's security team posted in a forum shortly after Tsai published his post that the company was "really glad Orange reported this to us."