back to article 'I hacked Facebook – and found someone had beaten me to it'

A bug bounty hunter compromises a Facebook staff server through a sloppy file-sharing webapp – and finds someone's already beaten him to it by backdooring the machine. The pseudo-anonymous penetration tester Orange Tsai, who works for Taiwan-based outfit Devcore, banked $10,000 from Facebook in February for successfully …

  1. wolfetone Silver badge
    Trollface

    Thanks Orange Tsai for ruining my fun!

    Giggity.

  2. Alister Silver badge
    Coat

    "another researcher"

    So, did he open a terminal window and type:

    "Mess with the best, die like the rest."

    No?, Oh, OK.

    1. Anonymous Coward
      Anonymous Coward

      Re: "another researcher"

      Pssshh dude.. only a noob would say that.

      On another note though...I wonder if his laptop has a killer refresh rate.

      Also the previous hacker should have tripled his RAM.

      I could quote that movie all day.

      Photographic memory...its a curse.

    2. Anonymous Coward
      Anonymous Coward

      Re: "another researcher"

      "Mess with the best, die like the rest."

      If they can hack Facebook, can they Hack the Gibson? :)

  3. TeeCee Gold badge
    WTF?

    Excuses.

    ....the password-slurping malware was installed by another security researcher....

    Yes, 'cos security researchers do that sort of thing. Not thieving scumbags at all. Oh no.

    I have to say that as versions of "It's all OK, you're still safe with us" go, that one has to be the least believable of all time.

    1. CraPo

      Re: Excuses.

      Well, it would make claiming the bounty rather awkward...

      1. Phil O'Sophical Silver badge
        Coat

        Re: Excuses.

        two competent researchers assessed the system, one of them reported what he found to us and got a good bounty,

        The other slurped internal identities and passwords and sold them for more than we offered as a bounty.

        1. Mark 85 Silver badge

          Re: Excuses.

          One does have to wonder about that. I'd think that any "researcher" would remove their hack after pointing it out to the company. I notice no mention of logs showing when the last time the code sent something to the "researcher". I smell a con job.

          1. mIRCat
            Linux

            Re: Excuses.

            "I smell a con job." Mark 85

            Did you mean cron job? It was a Linux server after all.

  4. kryptonaut
    Black Helicopters

    Shhh!

    "Having exploited the classic SQL injunction bug..."

    Are we even allowed to discuss this?

    1. Dan 55 Silver badge
      Joke

      Re: Shhh!

      Yes, it's a classic injunction, not a super injunction.

      1. Adam Foxton

        Re: Shhh!

        Nah, it's not the classic injunction- it's just the SQL

    2. Bloakey1

      Re: Shhh!

      We are allowed to discuss it but must not bring a bottle of olive oil to the meeting and God forbid that we remove our clothes and have a wrestle if the discussion get heated.

    3. AbelSoul
      Big Brother

      Re: Are we even allowed to discuss this?

      Up here in haggis land we can, apparently, but no one actually does.

      1. frank ly Silver badge

        Re: Are we even allowed to discuss this?

        Is that because it's too cold at this time of year? Oh wait, I'm thinking about olive oil wrestling, again.

        1. Paul Crawford Silver badge

          Re: Are we even allowed to discuss this?

          It's too cold every time of the year!

  5. Anonymous Coward
    Anonymous Coward

    I'm not quite buying the "previous security researcher" story

    I have a problem reconciling knowing about exploit attempts and not cleaning out any residual malware as fast as you're made aware of it.

    Given the impact of declaring a previous invasion "known and controlled" versus "oh f*ck, we've been hacked" I think Facebook has just created a new default PR response for any US company that has been breached. As long as no data leaks you can get away with such statements, and I wonder if such a response is enough to exonerate you from having to formally report being hacked as is now becoming law in quite a few States in the US.

    So no, I'm not quite buying this one - interested to hear if others agree.

    1. Sir Runcible Spoon Silver badge

      Re: I'm not quite buying the "previous security researcher" story

      What you said was the first thing that crossed my mind, but then I'm paid to be paranoid :)

      Without any actual evidence, we will have to accept the scripted answer. Who knows, it might even be right.

      1. Swarthy Silver badge
        Go

        Re: I'm not quite buying the "previous security researcher" story

        I'm thinking the "previous researcher" may, in fact, have been a semi-current researcher who was trying to use the FB employee logins to get further into the FB system and claim a larger (2-part?) bounty. Orange, upon seeing the malware, did not follow the same strategy, and procured the prize by publishing prior to the previous penetrater.

      2. Steve Knox

        Re: I'm not quite buying the "previous security researcher" story

        Without any actual evidence, we will have to accept the scripted answer.

        No. Without any actual evidence, "we don't know" is a better conclusion than accepting any answer, especially one from a party with an interest in controlling perception of the incident.

  6. Stephen W Harris

    Cert logs?

    From the article:

    "It also turns out the server had a *.fb.com wildcard SSL certificate installed on it. Misusing it would trip Facebook's cert logs, though."

    Would that be true? I thought the cert logs only tracked SSL cert _issuances_ from CAs. If I was able to get their wildcard cert and copy it to my machine then I could use it and no CA would be involved and no new cert issued. How would the cert logs track that?

    1. Sir Runcible Spoon Silver badge

      Re: Cert logs?

      I suppose their IPS might be configured to white-list specific URL's in the cert exchange - access to other URL's could then be flagged.

      Seems a long-winded way of doing it rather than issuing certs for each site, but I've heard rich people are often the tightest :)

  7. Frank N. Stein

    Looks like I need to learn some network security. Where are the gurus?

  8. anniemouse

    the thief is also a cheapo

    $10k? it was worth $1M.

    someone got fleeced again.

    ps- i have never used fakebook and never will.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019