Facebook was targeted in a sophisticated attack in January, says the company in a blog post. There is no evidence that Facebook user data was compromised in this attack.
Facebook Security flagged a suspicious domain in the company’s corporate DNS logs and tracked it back to an employee laptop. A forensic examination of the laptop showed up a malicious file, and a company-wide search flagged several other compromised employee laptops.
After analyzing the website where the attack originated, Facebook found it was using a previously unseen ‘zero-day’ exploit to bypass the Java sandbox (built-in protections) to install the malware. Facebook reported the exploit to Oracle, and they confirmed its findings and provided a patch on February 1, 2013, that addresses this vulnerability.
Facebook has began an investigation, and is working with its internal engineering teams, security teams at other companies, and with law enforcement authorities.
Facebook Bug Bounty Program
Facebook has a bug bounty program that invites security researchers to look into Facebook vulnerabilities. The company’s Responsible Disclosure Policy says “If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you,” and showcases a list of people for making a responsible disclosure to the company.
The rewards? Facebook offers a $500 minimum reward, with the bounty going higher for ‘severe or creative’ bugs.