How I Hacked Facebook
- Transfer
Good good. I didn’t quite “hack Facebook.” I managed to execute an operating system level command on one of the Facebook servers.
The story is how I did it.
Last September, I ended up in bed with a terrible flu. Just wallowing in bed was boring and started digging through the Facebook Vulnerability Finder program (Bug Bounty Facebook). I have participated in similar programs before, but never in the Facebook program.
By the way, this is not a complicated hack at all, but it worked.
Started with nmap , scanned ports and limited to domains owned by Facebook. Found several services on different IP addresses. I also looked at the takeovers that Facebook made. Conducted a similar scan of standard ports of discovered services.
On one of the IP addresses acquired by Facebook was Jenkins , working on a standard port. Having opened it in my browser, unfortunately, I received the Basic Authentication login window. I believe this is where most of the other vulnerability hunters and Facebook’s own security team finish testing.
I decided to make nmap a full port scan. The results showed another Jenkins service running on a less standard port. Having access to it, authentication did not expect me. Bingo!
For those of you who don’t know, Jenkins- server of continuous integration (CI, Continuous Integration). After authentication, it allows you to run Groovy code through the Jenkins Script Console.
Using Groovy code and the Jenkins Script Console, I could execute commands on the server under the user jenkins .
Sample Groovy code to run the whoami command :
Facebook reported this issue and they fixed it very quickly. I received $ 7500 through their vulnerability search program. The payment took several months and many letters back and forth. But ultimately I got it.
What is the result? Do not forget the basics. I found a rather risky mistake in one of the acquisitions of Facebook, just lying in bed, only using nmap .
I would like to say thanks to Facebook for the payment and I hope that I will be able to tell them more about errors in the future.
The story is how I did it.
Last September, I ended up in bed with a terrible flu. Just wallowing in bed was boring and started digging through the Facebook Vulnerability Finder program (Bug Bounty Facebook). I have participated in similar programs before, but never in the Facebook program.
By the way, this is not a complicated hack at all, but it worked.
Started with nmap , scanned ports and limited to domains owned by Facebook. Found several services on different IP addresses. I also looked at the takeovers that Facebook made. Conducted a similar scan of standard ports of discovered services.
On one of the IP addresses acquired by Facebook was Jenkins , working on a standard port. Having opened it in my browser, unfortunately, I received the Basic Authentication login window. I believe this is where most of the other vulnerability hunters and Facebook’s own security team finish testing.
I decided to make nmap a full port scan. The results showed another Jenkins service running on a less standard port. Having access to it, authentication did not expect me. Bingo!
For those of you who don’t know, Jenkins- server of continuous integration (CI, Continuous Integration). After authentication, it allows you to run Groovy code through the Jenkins Script Console.
Using Groovy code and the Jenkins Script Console, I could execute commands on the server under the user jenkins .
Sample Groovy code to run the whoami command :
def command = """whoami"""
def proc = command.execute()
proc.waitFor()
println "stdout: ${proc.in.text}"
Facebook reported this issue and they fixed it very quickly. I received $ 7500 through their vulnerability search program. The payment took several months and many letters back and forth. But ultimately I got it.
What is the result? Do not forget the basics. I found a rather risky mistake in one of the acquisitions of Facebook, just lying in bed, only using nmap .
I would like to say thanks to Facebook for the payment and I hope that I will be able to tell them more about errors in the future.