Security researcher Orange Tsai of Taiwanese security vendor Devco recently found that someone, probably a blackhat hacker with malicious intent, has breached into its server and installed a backdoor that was stealing Facebook employee's login credentials.

The hack was discovered on the Facebook company server so user accounts were not affected by the hack.

Tsai analyzed a vulnerable version of the Secure File Transfer application (FTA) made by Accellion and was used by Facebook employees for file sharing and collaboration.

He found seven vulnerable FTA flaws:

• 3 Cross-site scripting (XSS) flaws,
• 2 Remote code execution flaws,
• 2 Local privilege escalation issues.

He used those flaws to gain access to Facebooks server. While preparing his bug report, he spotted a PHP-based backdoor, popularly known as a PHP Web shell, that had possibly been installed on the server by a malicious hacker.

Tsai then reported all of his findings and was rewarded with a bug bounty of $10,000.

Source: The Hacker News