Researcher Finds Malicious Web Shell on Facebook Server

UPDATED. A researcher received $10,000 from Facebook after uncovering a serious vulnerability and what appeared to be a malicious web shell left behind by hackers on one of the social media giant’s servers. Facebook has clarified that the web shell was actually uploaded by another researcher analyzing the same flaws and noted that user data was never at risk.

Orange Tsai, a consultant at DevCore, had been analyzing Facebook’s infrastructure when he came across a domain called files.fb.com. The domain hosted a login interface for an Accellion File Transfer Appliance, a device used by enterprises for secure file transfers.

While known vulnerabilities had been patched by Facebook in the Accellion product, the researcher discovered a total of 7 previously unknown issues, including cross-site scripting, local privilege escalation, and remote code execution flaws.

The expert leveraged a pre-auth SQL injection vulnerability that allowed remote code execution to upload a webshell to the Facebook server.

Once he gained control of the server, he started collecting information for a Facebook bug bounty report. That was when he discovered that someone had previously uploaded a webshell to the server.

The said webshell attempted to collect the login credentials of Facebook employees who used the file transfer service. Tsai discovered that the script had harvested roughly 300 @fb.com and @facebook.com credentials between February 1 and February 7.

Based on logs found on the server, the researcher determined that unauthorized parties gained access on two occasions — in early July 2015 and mid-September 2015. It’s worth noting that the July “intrusion” took place just days before Rapid7 disclosed a couple of serious vulnerabilities in the Accellion File Transfer Appliance that had been patched by the vendor a couple of weeks earlier.

The expert informed Facebook of the flaws and the existence of the webshell and received a $10,000 reward for his work. The Accellion product vulnerabilities were also reported to the vendor and their details will be made public in the upcoming period.

Facebook told SecurityWeek that the webshell was actually uploaded by another researcher analyzing the same vulnerabilities and there is no reason to believe his activities were malicious in nature. The company clarified that the server exposed by the vulnerabilities in the Accellion product was never part of the systems that run Facebook, including the systems that host user data. Facebook said it no longer uses the vulnerable software.

Facebook reported in February that it had paid researchers more than $4.3 million since the launch of its bug bounty program in 2011.

*Updated to clarify that Facebook said the webshell was actually uploaded by another researcher, not a malicious actor

Related: Facebook Password Reset Flaw Earns Researcher $15,000

Related: Facebook Pays Out $7,500 Bounty for Account Hijacking Flaw