While earning a $10,000 bounty, a penetration tester called Orange Tsai discovered another hacker’s backdoor already in place on a Facebook server, as reported by The Register. Orange Tsai turned in the other hacker’s mischief along with O.T.’s own success at cracking the server. Just another day in the life of professional bounty hacker.
Facebook’s bug bounty program pays rewards to anyone who finds and documents problems with its websites or systems. The rules for the program are detailed along with a long list of eligible websites, apps, and services. Fair game Facebook assets include Facebook.com, Instagram.com, and Oculus.com. WhatsApp, LiveRail, and Atlas aren’t included, so if you’re hacking for a bounty, hack elsewhere.
Orange Tsai works for Taiwan-based Devcore and published the full details of the hunt on a company blog. O.T. hacked into a Facebook staff server. Once inside, O.T. found a backdoor left by another hacker, along with code that could exploit Facebook staff credentials.
Orange Tsai reported the other hacker’s access when turning in his own bug report. After researching the reports, Facebook security engineer Reginaldo Silva discovered they already knew of the other hacker. That person is also part of their bug hunt program.
“We determined that the activity Orange detected was in fact from another researcher who participates in our bounty program. Neither of them were (sic) able to compromise other parts of our infrastructure, so the way we see it, it’s a double win: two competent researchers assessed the system, one of them reported what he found to us and got a good bounty, none of them were able to escalate access,” said Silva.
So Orange Tsai was paid for breaking into the Facebook server and also recognized for finding bug hunter tracks. In addition the money, Facebook recognized Orange Tsai on its official bug hunt thank you list.