A handful of Facebook engineers were reportedly victims of a Java-based zero-day hack that riddled the computers in question with malware last month. Fortunately, Facebook figured out the existence of the malware before any further damage was done. But while the incident was reported a month ago, Facebook’s security team just got around to publishing a follow up blog post about the attack. Rest assured the social networks says it “found no evidence that Facebook user data was compromised.”
This zero-day exploit, meaning that this malware was never seen before, was discovered when Facebook “flagged a suspicious domain in [Facebook’s] corporate DNS logs and tracked it back to an employee laptop.” Facebook’s Chief Security Officer, Joe Sullivan, tells Ars Technica that the malware was piggybacking on the HTML of a compromised popular mobile developer Web forum and it could infect both Mac and Windows computers.
Anyone visiting the original site would have contracted the malware, which seemed to be the case since Facebook wasn’t the only victim. Facebook, however, hasn’t divulged what other companies have been affected.
According to Facebook, there wasn’t much that could have been done to protect the laptops other than not having visited the infected site in the first place. “The laptops were fully-patched and running up-to-date anti-virus software.” Since the exploit was a zero-day attack in the first place, anti-virus software wouldn’t have been able to detect and protect infected computers. The vulnerability in Java that unknowingly left the door open for this type of malware has since been patched by Oracle on February 1.
Companies with infected computers were notified of the malware, and Facebook is currently working with law enforcement to track down the culprit.
Our personal data may not have been stolen, but Facebook reports that the malware looked like it was peeking into what the social network was working on. So whatever information the affected Facebooks engineers had or accessed on their computers, including code, corporate data, and emails, was stolen.
Java has been on the receiving end of criticism recently. Just last week, another zero-day Java exploit was discovered, although by then it was too late and the attack was already running “arbitrary code” on infected systems. These aren’t the first string of attacks on Java and definitely not the end. And the realization about Java’s many vulnerabilities that are waiting to be discovered will no doubt motivate copycat hackers. To steer clear of possibly compromising your system, you can disable Java on your browser altogether – and that’s a recommendation straight from the U.S. Department of Homeland Security.