Sign in / up

back to article 'I hacked Facebook – and found someone had beaten me to it'

A bug bounty hunter compromises a Facebook staff server through a sloppy file-sharing webapp – and finds someone's already beaten him to it by backdooring the machine. The pseudo-anonymous penetration tester Orange Tsai, who works for Taiwan-based outfit Devcore, banked $10,000 from Facebook in February for successfully …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. wolfetone Silver badge
    Trollface

    Thanks Orange Tsai for ruining my fun!

    Giggity.

    2 0 Reply
  2. Alister
    Coat

    "another researcher"

    So, did he open a terminal window and type:

    "Mess with the best, die like the rest."

    No?, Oh, OK.

    9 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: "another researcher"

      Pssshh dude.. only a noob would say that.

      On another note though...I wonder if his laptop has a killer refresh rate.

      Also the previous hacker should have tripled his RAM.

      I could quote that movie all day.

      Photographic memory...its a curse.

      2 0 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: "another researcher"

      "Mess with the best, die like the rest."

      If they can hack Facebook, can they Hack the Gibson? :)

      1 0 Reply
  3. TeeCee Gold badge
    WTF?

    Excuses.

    ....the password-slurping malware was installed by another security researcher....

    Yes, 'cos security researchers do that sort of thing. Not thieving scumbags at all. Oh no.

    I have to say that as versions of "It's all OK, you're still safe with us" go, that one has to be the least believable of all time.

    16 0 Reply
    1. CraPo
      Reply Icon

      Re: Excuses.

      Well, it would make claiming the bounty rather awkward...

      0 0 Reply
      1. Phil O'Sophical Silver badge
        Reply Icon
        Coat

        Re: Excuses.

        two competent researchers assessed the system, one of them reported what he found to us and got a good bounty,

        The other slurped internal identities and passwords and sold them for more than we offered as a bounty.

        16 0 Reply
        1. Mark 85
          Reply Icon

          Re: Excuses.

          One does have to wonder about that. I'd think that any "researcher" would remove their hack after pointing it out to the company. I notice no mention of logs showing when the last time the code sent something to the "researcher". I smell a con job.

          0 0 Reply
          1. mIRCat
            Reply Icon
            Linux

            Re: Excuses.

            "I smell a con job." Mark 85

            Did you mean cron job? It was a Linux server after all.

            2 0 Reply
  4. kryptonaut
    Black Helicopters

    Shhh!

    "Having exploited the classic SQL injunction bug..."

    Are we even allowed to discuss this?

    10 0 Reply
    1. Dan 55 Silver badge
      Reply Icon
      Joke

      Re: Shhh!

      Yes, it's a classic injunction, not a super injunction.

      12 0 Reply
      1. Adam Foxton
        Reply Icon

        Re: Shhh!

        Nah, it's not the classic injunction- it's just the SQL

        2 0 Reply
    2. Bloakey1
      Reply Icon

      Re: Shhh!

      We are allowed to discuss it but must not bring a bottle of olive oil to the meeting and God forbid that we remove our clothes and have a wrestle if the discussion get heated.

      1 0 Reply
    3. AbelSoul
      Reply Icon
      Big Brother

      Re: Are we even allowed to discuss this?

      Up here in haggis land we can, apparently, but no one actually does.

      2 0 Reply
      1. frank ly
        Reply Icon

        Re: Are we even allowed to discuss this?

        Is that because it's too cold at this time of year? Oh wait, I'm thinking about olive oil wrestling, again.

        0 0 Reply
        1. Paul Crawford Silver badge
          Reply Icon

          Re: Are we even allowed to discuss this?

          It's too cold every time of the year!

          0 0 Reply
  5. Anonymous Coward
    Anonymous Coward

    I'm not quite buying the "previous security researcher" story

    I have a problem reconciling knowing about exploit attempts and not cleaning out any residual malware as fast as you're made aware of it.

    Given the impact of declaring a previous invasion "known and controlled" versus "oh f*ck, we've been hacked" I think Facebook has just created a new default PR response for any US company that has been breached. As long as no data leaks you can get away with such statements, and I wonder if such a response is enough to exonerate you from having to formally report being hacked as is now becoming law in quite a few States in the US.

    So no, I'm not quite buying this one - interested to hear if others agree.

    10 0 Reply
    1. Sir Runcible Spoon
      Reply Icon

      Re: I'm not quite buying the "previous security researcher" story

      What you said was the first thing that crossed my mind, but then I'm paid to be paranoid :)

      Without any actual evidence, we will have to accept the scripted answer. Who knows, it might even be right.

      3 0 Reply
      1. Swarthy
        Reply Icon
        Go

        Re: I'm not quite buying the "previous security researcher" story

        I'm thinking the "previous researcher" may, in fact, have been a semi-current researcher who was trying to use the FB employee logins to get further into the FB system and claim a larger (2-part?) bounty. Orange, upon seeing the malware, did not follow the same strategy, and procured the prize by publishing prior to the previous penetrater.

        0 0 Reply
      2. Steve Knox
        Reply Icon

        Re: I'm not quite buying the "previous security researcher" story

        Without any actual evidence, we will have to accept the scripted answer.

        No. Without any actual evidence, "we don't know" is a better conclusion than accepting any answer, especially one from a party with an interest in controlling perception of the incident.

        1 0 Reply
  6. Stephen W Harris

    Cert logs?

    From the article:

    "It also turns out the server had a *.fb.com wildcard SSL certificate installed on it. Misusing it would trip Facebook's cert logs, though."

    Would that be true? I thought the cert logs only tracked SSL cert _issuances_ from CAs. If I was able to get their wildcard cert and copy it to my machine then I could use it and no CA would be involved and no new cert issued. How would the cert logs track that?

    1 0 Reply
    1. Sir Runcible Spoon
      Reply Icon

      Re: Cert logs?

      I suppose their IPS might be configured to white-list specific URL's in the cert exchange - access to other URL's could then be flagged.

      Seems a long-winded way of doing it rather than issuing certs for each site, but I've heard rich people are often the tightest :)

      2 0 Reply
  7. Frank N. Stein

    Looks like I need to learn some network security. Where are the gurus?

    1 0 Reply
  8. anniemouse

    the thief is also a cheapo

    $10k? it was worth $1M.

    someone got fleeced again.

    ps- i have never used fakebook and never will.

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like