Facebook Hacked by Zero-Day Java Exploit

Contributing Writer

On Friday the Facebook Security blog revealed that the social website was hacked via a zero-day Java exploit last month. The attack occurred when a handful of Facebook employees visited a mobile developer's compromised website. Laptops used by these employees were fully-patched and running up-to-date anti-virus software. But an exploit hosted by the website somehow allowed malware to be installed on these laptops.

Facebook Security said it initially flagged a suspicious domain in its corporate DNS logs and tracked it back to an employee laptop. After digging through its hardware and files, the team identified a malicious file, and then searched company-wide and flagged several other compromised employee laptops.

"After analyzing the compromised website where the attack originated, we found it was using a 'zero-day' (previously unseen) exploit to bypass the Java sandbox (built-in protections) to install the malware," the company said. "We immediately reported the exploit to Oracle, and they confirmed our findings and provided a patch on February 1, 2013, that addresses this vulnerability."

Facebook said it was one of many that were recently attacked and infiltrated. It immediately alerted other "companies and entities" that were affected with details about the social website's own infiltration. Facebook said it will continue to collaborate on the incident through an informal working group and more.

"We have found no evidence that Facebook user data was compromised," Facebook Security said. "We will continue to work with law enforcement and the other organizations and entities affected by this attack. It is in everyone’s interests for our industry to work together to prevent attacks such as these in the future."

Naturally the details on what the malware actually accomplished weren't provided.

The news arrives two weeks after Twitter was hacked and 250,000 user accounts possibly compromised. Other recent targets have included the Wall Street Journal, the New York Times and the Washington Post. The latter three have blamed the Chinese government for their hacks whereas Twitter and Facebook have yet to point any fingers.

AllThingsD believes the two social network attacks could be connected due to Twitter director of information security Bob Lord reminding users that security experts strongly recommend turning off Java inside their browsers. Both also indicated in their public release that they're part of a larger series of widespread attacks.

"This attack was not the work of amateurs, and we do not believe it was an isolated incident," Twitter said earlier this month. "The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked."

"Facebook was not alone in this attack. It is clear that others were attacked and infiltrated recently as well," Facebook stated.


Contact Us for News Tips, Corrections and Feedback