Sign in with
Sign up | Sign in

Facebook Hacked by Zero-Day Java Exploit

By - Source: Facebook Security | B 21 comments

Facebook is now one of many popular sites that have been recently hacked.

On Friday the Facebook Security blog revealed that the social website was hacked via a zero-day Java exploit last month. The attack occurred when a handful of Facebook employees visited a mobile developer's compromised website. Laptops used by these employees were fully-patched and running up-to-date anti-virus software. But an exploit hosted by the website somehow allowed malware to be installed on these laptops.

Facebook Security said it initially flagged a suspicious domain in its corporate DNS logs and tracked it back to an employee laptop. After digging through its hardware and files, the team identified a malicious file, and then searched company-wide and flagged several other compromised employee laptops.

"After analyzing the compromised website where the attack originated, we found it was using a 'zero-day' (previously unseen) exploit to bypass the Java sandbox (built-in protections) to install the malware," the company said. "We immediately reported the exploit to Oracle, and they confirmed our findings and provided a patch on February 1, 2013, that addresses this vulnerability."

Facebook said it was one of many that were recently attacked and infiltrated. It immediately alerted other "companies and entities" that were affected with details about the social website's own infiltration. Facebook said it will continue to collaborate on the incident through an informal working group and more.

"We have found no evidence that Facebook user data was compromised," Facebook Security said. "We will continue to work with law enforcement and the other organizations and entities affected by this attack. It is in everyone’s interests for our industry to work together to prevent attacks such as these in the future."

Naturally the details on what the malware actually accomplished weren't provided.

The news arrives two weeks after Twitter was hacked and 250,000 user accounts possibly compromised. Other recent targets have included the Wall Street Journal, the New York Times and the Washington Post. The latter three have blamed the Chinese government for their hacks whereas Twitter and Facebook have yet to point any fingers.

AllThingsD believes the two social network attacks could be connected due to Twitter director of information security Bob Lord reminding users that security experts strongly recommend turning off Java inside their browsers. Both also indicated in their public release that they're part of a larger series of widespread attacks.

"This attack was not the work of amateurs, and we do not believe it was an isolated incident," Twitter said earlier this month. "The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked."

"Facebook was not alone in this attack. It is clear that others were attacked and infiltrated recently as well," Facebook stated.

 

Contact Us for News Tips, Corrections and Feedback

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
Top Comments
  • 28 Hide
    universal remonster , February 17, 2013 4:50 AM
    johnnyevilDelete. Your. Accounts.


    It wouldn't matter. All of your personal info is retained by Facebook even after you delete an account.
  • 22 Hide
    fnh , February 17, 2013 7:14 AM
    Falsify. Your. Accounts.
  • 21 Hide
    johnnyevil , February 17, 2013 4:42 AM
    Delete. Your. Accounts.
Other Comments
    Display all 21 comments.
  • 14 Hide
    Anonymous , February 17, 2013 3:25 AM
    china
  • 20 Hide
    A Bad Day , February 17, 2013 4:16 AM
    Java: Great programming language

    Oracle: Missing in action :( 
  • 21 Hide
    johnnyevil , February 17, 2013 4:42 AM
    Delete. Your. Accounts.
  • 28 Hide
    universal remonster , February 17, 2013 4:50 AM
    johnnyevilDelete. Your. Accounts.


    It wouldn't matter. All of your personal info is retained by Facebook even after you delete an account.
  • 22 Hide
    fnh , February 17, 2013 7:14 AM
    Falsify. Your. Accounts.
  • 1 Hide
    FinneousPJ , February 17, 2013 8:37 AM
    They need to rewrite Java from scratch.
  • 12 Hide
    tokencode , February 17, 2013 8:45 AM
    FinneousPJThey need to rewrite Java from scratch.



    Java needs to die...
  • 3 Hide
    susyque747 , February 17, 2013 12:09 PM
    Facebook and Twitter are for Tools & Fools, no sympathy for them.
  • -7 Hide
    wemakeourfuture , February 17, 2013 1:06 PM
    universal remonsterIt wouldn't matter. All of your personal info is retained by Facebook even after you delete an account.


    That is absolutely incorrect. This used to be true many years ago and is no longer.

    The privacy commissioner in Canada told Facebook their retention of data of deleted users violated Canadian Privacy Laws and Facebook not only made changes to remove deleted users data forever after X number of days of deletion (believe 30), they applied this to all global users.

    ---

    Deletion
    When you delete an account, it is permanently deleted from Facebook. It typically takes about one month to delete an account, but some information may remain in backup copies and logs for up to 90 days. You should only delete your account if you are sure you never want to reactivate it. You can delete your account here. Learn more.
    Certain information is needed to provide you with services, so we only delete this information after you delete your account. Some of the things you do on Facebook aren't stored in your account, like posting to a group or sending someone a message (where your friend may still have a message you sent, even after you delete your account). That information remains after you delete your account.

    http://www.facebook.com/about/privacy/your-info


    So many homers on TH that gave the above comment a thumbs up, pathetic, just haters who don't even know policies have changed almost 3 years ago...
  • -2 Hide
    wemakeourfuture , February 17, 2013 1:08 PM
    susyque747Facebook and Twitter are for Tools & Fools, no sympathy for them.


    You're a moron, its a way for people to exchange information, there's nothing wrong with them. People from simple internet users to multi-billion dollar IT companies use both services.
  • -4 Hide
    wemakeourfuture , February 17, 2013 1:10 PM
    fnhFalsify. Your. Accounts.


    What's to falsify? What are you even talking about?

    It was Facebook employee's using a website that contained a Java vulnerability, this did not effect actual Facebook users or their data.

    Wow, people can't even read a few sentences to understand what an article is before making unrelated comments...
  • 6 Hide
    house70 , February 17, 2013 1:33 PM
    Looks like wemakeourfuture is a FB zealot. Good thing he's not involved in making my future...LOL.
    I, for one, couldn't care less about FB. People that post personal info on sites like these should agree that info is not theirs anymore.
  • 4 Hide
    STravis , February 17, 2013 2:07 PM
    I always laugh when I hear about people being surprised that they got hacked even though they have their computers patched and latest antivirus, etc - it's like their new to computers and don't understand that patches only take care of past known vulnerabilities - they do nothing for stuff that is being discovered every hour of every day.
  • 12 Hide
    someguynamedmatt , February 17, 2013 2:30 PM
    wemakeourfutureYou're a moron, its a way for people to exchange information, there's nothing wrong with them. People from simple internet users to multi-billion dollar IT companies use both services.

    wemakeourfutureWow, people can't even read a few sentences to understand what an article is before making unrelated comments...

    wemakeourfutureSo many homers on TH that gave the above comment a thumbs up, pathetic, just haters who don't even know policies have changed almost 3 years ago...

    When you triple post, taking up half of the comment section, to do nothing other than call TomsHardware users morons, you aren't exactly making a good case for yourself, buddy. When something is upvoted, it generally means people agree with it, regardless of your own opinion.
  • 1 Hide
    alextheblue , February 17, 2013 2:39 PM
    A Bad DayJava: Great programming languageOracle: Missing in action
    Knock knock.

    Who's there?

    ....

    ....

    ....

    ....

    ....

    ....Java.
  • 4 Hide
    SirGCal , February 17, 2013 2:46 PM
    wemakeourfutureYou're a moron, its a way for people to exchange information, there's nothing wrong with them. People from simple internet users to multi-billion dollar IT companies use both services.


    Nice name-calling... But no, you are incorrect. That is their facade, but they actually are the biggest sources of data collection services, advertising, etc. and also happen to be the current world's largest malware infection source sites today. Think about it... They don't charge you anything to use their services/servers/etc. But yet they're worth Billions themselves... And now both FB and Tw have 'track where I am' type services... Sure, this is just to keep your friends who really could not give 2 hoots about you your active location... And that's all... Right. If you really believe that. But even without the (also rediculious) conspiracy theories of it's function, it is data that can be used for advertising and other data collection. Not to mention the possible list of crimes made easier with that type of information. And that's just one aspect.

    I stopped using FB Long ago and removed all of my photos when they were going to make that policy change. I never liked Twitter. No one cares what I'm doing immediately right now unless they are with me doing it. Honestly, the thought that someone would sit there and really have to/want to know my every thought and action alone is very concerning at a minimum.
  • -1 Hide
    lradunovic77 , February 17, 2013 3:02 PM
    Java needs to die, crappiest programming language ever.
  • 1 Hide
    memadmax , February 17, 2013 11:13 PM
    You guys that are pooping on java prolly poop on ms and laugh everytime a windows user gets a malware...

    Meanwhile, back on your ios/macos machine, who knows how much malware is flowing thru your system because the creator was such an egotistical maniac that he declared that there are "No virus's on the macintosh", and didn't even bother building even a mediocre free anti-virus program..........
  • 3 Hide
    rantoc , February 18, 2013 12:14 PM
    The cloud is completely safe, move _everything_ there *random evil laughter*
  • 0 Hide
    Anonymous , February 18, 2013 2:25 PM
    It's not Java's fault that there are all these security holes. It's Oracle's fault for not properly developing and maintaining the runtime environment. Microsoft's .NET runtime is just as vulnerable, but MS releases security patches on a regular basis, and they are actively developing the runtime.

    Java is a great language that is unfortunately in the care of the wrong company. I'd like to see it handed off to a non-profit consortium and maintained by the open-source community, or maybe it could be purchased by Google or IBM.
Display more comments
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS