The use of bounty programs to track down security vulnerabilities in websites and software is increasingly common these days, and it's a tactic employed by Facebook.
One bounty hunter - or penetration tester - hacked his (or her… they are anonymous) way into the social network and made the shocking discovery that someone had already installed a backdoor.
Orange Tsai managed to compromise a Linux-based staff server and found there was already a piece of malware in place syphoning off usernames and passwords. These account details were being transmitted to a remote computer, and after revealing this to Facebook, Tsia pocketed $10,000 as a reward.
Facebook says that the malware was installed by a security researcher who was trying to earn themselves a bounty. Tsai, who works for Devcore in Taiwan, has provided a detailed write-up of what poking around Facebook servers revealed. Using a reverse lookup, Tsia discovered the existence of files.fb.com which was running Accellion's Secure File Transfer service which is known to suffer from certain vulnerabilities.
Using an SQL injection vulnerability, Tsai was able to execute remote code on the server and gain control of it. It was at this point that password-stealing PHP scripts were found to be present.
In a statement, Facebook security engineer Reginaldo Silva said:
Facebook stresses that no user information was compromised by the backdoor.