A security researcher has earned a top bug bounty from Facebook after discovering vulnerabilities and a backdoor on a server operated by the social network that led to hundreds of staff passwords being captured by an unknown hacker.
Orange Tsai, of Taiwanese security vendor Devco.re, scanned Facebook's IP address space and found a domain name that piqued his interest.
Tsai discovered the system the domain name - tfbnw.net - ran on a range of servers included a vulnerable version of the Accellion Secure File Transfer application.
While determining how the Accellion SFT was vulnerable, Tsai found anomalous PHP script language error messages that indicated a webshell was installed on the server he was auditing, providing remote access for unknown attackers.
Tsai said he believed the backdoor was an atttempt to collect Facebook staffer logins.
"The hacker created a proxy on the credentials page to log the credentials of Facebook employees," Tsai wrote.
Employee passwords were stored on the server, with the hacker using the WGET file transfer utility to copy them across the internet. According to Tsai, around 300 credentials were logged on the server.
Tsai speculated that the captured credentials could be used for other services running on the compromised system, such as Outlook Web Access and virtual private networking.
The Taiwanese researcher reported the incident to Facebook in February this year, and shortly after received a US$10,000 (A$12,800) bug bounty for his work.
Facebook has since patched the server in question.