How I Hacked Facebook

Original author: Ryan Dewhurst
  • Transfer
Good good. I didn’t quite “hack Facebook.” I managed to execute an operating system level command on one of the Facebook servers.

The story is how I did it.

Last September, I ended up in bed with a terrible flu. Just wallowing in bed was boring and started digging through the Facebook Vulnerability Finder program (Bug Bounty Facebook). I have participated in similar programs before, but never in the Facebook program.

By the way, this is not a complicated hack at all, but it worked.

Started with nmap , scanned ports and limited to domains owned by Facebook. Found several services on different IP addresses. I also looked at the takeovers that Facebook made. Conducted a similar scan of standard ports of discovered services.

On one of the IP addresses acquired by Facebook was Jenkins , working on a standard port. Having opened it in my browser, unfortunately, I received the Basic Authentication login window. I believe this is where most of the other vulnerability hunters and Facebook’s own security team finish testing.

I decided to make nmap a full port scan. The results showed another Jenkins service running on a less standard port. Having access to it, authentication did not expect me. Bingo!

For those of you who don’t know, Jenkins- server of continuous integration (CI, Continuous Integration). After authentication, it allows you to run Groovy code through the Jenkins Script Console.

Using Groovy code and the Jenkins Script Console, I could execute commands on the server under the user jenkins .
Sample Groovy code to run the whoami command :

def command = """whoami"""
def proc = command.execute()
println "stdout: ${}"

Facebook reported this issue and they fixed it very quickly. I received $ 7500 through their vulnerability search program. The payment took several months and many letters back and forth. But ultimately I got it.

What is the result? Do not forget the basics. I found a rather risky mistake in one of the acquisitions of Facebook, just lying in bed, only using nmap .

I would like to say thanks to Facebook for the payment and I hope that I will be able to tell them more about errors in the future.

Also popular now: