Facebook bug hunter stumbles on backdoor left by hackers
When Orange Tsai set out to participate in Facebook’s bug bounty program in February, he successfully managed to gain access to one of Facebook’s corporate servers. But once in, he realized that malicious hackers had beaten him to it.
Tsai, a consultant with Taiwanese penetration testing outfit Devcore, had started by mapping Facebook’s online properties, which extend beyond user-facing services like facebook.com or instagram.com.
One server that caught his attention was files.fb.com, which hosted a secure file transfer application made by enterprise software vendor Accellion and was presumably used by Facebook employees for file sharing and collaboration.