Thanks Orange Tsai for ruining my fun!
Giggity.
A bug bounty hunter compromises a Facebook staff server through a sloppy file-sharing webapp – and finds someone's already beaten him to it by backdooring the machine. The pseudo-anonymous penetration tester Orange Tsai, who works for Taiwan-based outfit Devcore, banked $10,000 from Facebook in February for successfully …
....the password-slurping malware was installed by another security researcher....
Yes, 'cos security researchers do that sort of thing. Not thieving scumbags at all. Oh no.
I have to say that as versions of "It's all OK, you're still safe with us" go, that one has to be the least believable of all time.
I have a problem reconciling knowing about exploit attempts and not cleaning out any residual malware as fast as you're made aware of it.
Given the impact of declaring a previous invasion "known and controlled" versus "oh f*ck, we've been hacked" I think Facebook has just created a new default PR response for any US company that has been breached. As long as no data leaks you can get away with such statements, and I wonder if such a response is enough to exonerate you from having to formally report being hacked as is now becoming law in quite a few States in the US.
So no, I'm not quite buying this one - interested to hear if others agree.
I'm thinking the "previous researcher" may, in fact, have been a semi-current researcher who was trying to use the FB employee logins to get further into the FB system and claim a larger (2-part?) bounty. Orange, upon seeing the malware, did not follow the same strategy, and procured the prize by publishing prior to the previous penetrater.
Without any actual evidence, we will have to accept the scripted answer.
No. Without any actual evidence, "we don't know" is a better conclusion than accepting any answer, especially one from a party with an interest in controlling perception of the incident.
From the article:
"It also turns out the server had a *.fb.com wildcard SSL certificate installed on it. Misusing it would trip Facebook's cert logs, though."
Would that be true? I thought the cert logs only tracked SSL cert _issuances_ from CAs. If I was able to get their wildcard cert and copy it to my machine then I could use it and no CA would be involved and no new cert issued. How would the cert logs track that?