Here’s a fascinating story about a hacker who caught a hacker.
(We’re using the word hacker in a legally non-committal sense here: someone with technical skills who finds ways to do things with a computer system that weren’t supposed to happen.)
We don’t know who the first hacker is, but the second, who caught out the first, goes by Orange Tsai, and works as a penetration tester at Devcore, a boutique security consultancy in Taipei.
Facebook was the victim of both hacks, but is surprisingly relaxed about it.
Facebook considers both hackers to be researchers who participate in the company’s bounty program; indeed, Orange was awarded $10,000 for the discovery described here.
We recommend that you read Orange’s own report, because it gives a very clear account of how a penetration tester (and, for that matter, a cybercrook) goes about researching, exploring and exploiting security holes in a network.
The quick version is that Orange went looking for unusually-named Facebook servers, and soon found one called vpn.tfbnw.net.
VPN is short for Virtual Private Network, which is, in this context, a secure gateway into TFBNW, short for The FaceBook NetWork.
That server sounds like a great place to start hacking, but Orange quickly found that it was a recent product with recent patches, and therefore decided not to waste too much time on it.
Instead, Orange decided simply to treat vpn.tfbnw.net as a good starting point on the network to look around for other servers of interest.
This led quickly to files.fb.com, which turned out to be a secure file-sharing product from a company called Accellion; the closest SoHo equivalent is probably a NAS device, short for “network attached storage.”
A server that’s used for in-house collaboration sounds like something you’d want to penetrate specifically to riffle through the content that the server has to offer.
But penetration testing (and, by implication, an attack by cybercriminals) doesn’t always follow the obvious path, as it didn’t in our 2015 story on the risks of an internet-of-things connected kettle.
In that story, the security researchers weren’t interested in hacking the kettle because it was a kettle.
They were interested because it contained a copy of the key to the network, and could be tricked into revealing that key.
Orange figured that files.fb.com might have more to offer than just a stash of files, and that turned out to be a good guess: a number of bugs in server allowed remote code execution (RCE) to deliver what’s called a web shell.
Simply put, that means a legitimate-looking web request, albeit with an unusual URL and request body, could be used to run a system command on the server itself – and the server, of course, is on the inside of the network.
At this point, Orange had enough to claim a solid bounty from Facebook: the ability to run system commands inside the network, without logging in or giving any sort of password, from outside the network.
Strictly speaking, Orange ought to have reported the bug here, and stopped.
What happened next?
But Orange couldn’t resist looking around, and amongst the sort of filenames you’d expect on a collaboration server, soon spotted files that looked like something left behind by an earlier hacker:
bN3d10Aw.php uploader.php B3dKe9sQaa0L.log
The abovementioned log file turned out to contain left-over data from the previous hacker’s stash, allegedly including plaintext Facebook login credentials.
Orange surmised that these credentials included network login passwords for Facebook employees, though quite how far an attacker could get with those passwords isn’t clear.
Other log files that Orange trawled through showed further evidence of what the earlier hacker had been up to, including: poking around on the network; probing the mail server and the directory server; and trying unsuccesfully to steal encryption keys.
As we mentioned at the outset, Facebook paid Orange a $10,000 bug bounty, and described the earlier mystery hacker as a participant in the company’s bug program.
Facebook isn’t saying how it connected the earlier hacks with a specific researcher.
By the way, if you’re interested in penetration testing, especially if you are participating under the general rules of a bug bounty program rather than under a specially-agreed contract, we recommend that you don’t go as far as either hacker in this case.
Orange stretched the rules a bit; the earlier mystery hacker stretched them a lot.
In particular, collecting login credentials without an explicit signed agreement is usually considered off-limits, not least because once you take them, you run the risk of losing control over them yourself, as happened in this case.
That takes you from helping to fix a security problem to creating a new one.
That’s exactly the same sort of dilemma you face when doing anti-malware research: how to run real malware in a way that is realistic enough to help you to understand it without actually inflicting it on other innocent users.
You don’t make security stronger by weakening it!