CERT/CC has published an advisory detailing the vulnerabilities uncovered by a researcher in February while trying to find security holes in one of Facebook’s servers.
While hunting for flaws that he could report to Facebook’s bug bounty program, security consultant Orange Tsai came across a domain called files.fb.com. The domain hosted a login interface for an Accellion File Transfer Appliance, a device used by enterprises for secure file transfers.
An analysis revealed that the Accellion product had been plagued by 7 vulnerabilities, one of which allowed Tsai to upload a web shell to the Facebook server. Facebook said it stopped using the vulnerable software following the incident.
