Facebook bug hunter stumbles on backdoor left by… another bug hunter
When Orange Tsai set out to participate in Facebook’s bug bounty program in February, he successfully managed to gain access to one of Facebook’s corporate servers. But once in, he realized other hackers had beaten him to it.
Tsai thought he had stumbled on some malicious activity in Facebook’s network. But, according to a statement from Facebook on Friday, what he found was something else.
Tsai, a consultant with Taiwanese penetration testing outfit Devcore, had started by mapping Facebook’s online properties, which extend beyond user-facing services like facebook.com or instagram.com.
One server that caught his attention was files.fb.com, which hosted a secure file transfer application made by enterprise software vendor Accellion and was presumably used by Facebook employees for file sharing and collaboration.