While testing Facebook for any potential backdoors in the system, Devcore penetration tester Orange Tsai discovered a backdoor did in fact exist; however, it was only in the system due to a previous penetration tester installing the vulnerability. The backdoor allowed those who knew of it to “execute shell commands and upload files,” as well as providing the ability to record the authentication process and steal the information of any Facebook employee who accessed the site. Tsai released on his blog that “At the time I discovered these, there were around 300 logged credentials dated between February 1st to 7th, mostly ‘@fb.com’ and ‘@facebook.com.’ Upon seeing it I thought it’s a pretty serious security incident.” The evidence showed that the previous hacker had tried to map out Facebook’s internal network by logging onto mail servers and searching for private SSL keys.
According to Facebook security engineer Reginaldo Silva, “We’re really glad Orange reported this to us. In this case, the software we were using is third party. As we don’t have full control of it, we ran it isolated from the systems that host the data people share on Facebook. We do this precisely to have better security.” Tsai was awarded $10,000 as his bounty for discovering the bug.