Image

Image

"A brief summary, the hacker created a proxy on the credential page to log the credentials of Facebook employees," Orange recalls. "These logged passwords were stored under web directory for the hacker to [access]... every once in a while."The scripts were used once in July and then again in September of last year. After collecting some additional information about his exploit, the researcher submitted his findings to Facebook's bug bounty program back in February of this year. He was rewarded US$10,000 for his efforts. Since then, Reginaldo Silva, a security engineer at Facebook, has confirmed that the malicious scripts were put in place by another researcher hoping to snag a bug bounty.
"We're really glad Orange reported this to us. In this case, the software we were using is third party. As we don't have full control of it, we ran it isolated from the systems that host the data people share on Facebook. We do this precisely to have better security," said Silva. "We determined that the activity Orange detected was in fact from another researcher who participates in our bounty program. Neither of them were able to compromise other parts of our infrastructure, so the way we see it, it's a double win: two competent researchers assessed the system, one of them reported what he found to us and got a good bounty, none of them were able to escalate access."For information on Facebook's bug bounty program, please click here.