The researcher hacked Facebook after identifying and exploiting Unauthenticated RCE on MobileIron’s Mobile Device Management (MDM) used by the company’s employees.
Not every time a platform is found vulnerable because of its own fault, at least not entirely. Sometimes, a third-party service may be used which has a negative ripple effect on user security.
Such is the recent case of Facebook where a researcher Orange Tsai from DEVCORE found Facebook vulnerable to critical attacks because of a flaw in MobileIron. For your information, MobileIron is a Mobile Device Management (MDM) system used by the social network giant in order to control employees’ corporate devices.
See: Hacking Facebook Account by Simply Knowing Account Phone Number
The researcher identified 3 vulnerabilities centered around allowing attackers to engage in:
Arbitrary file reading – CVE-2020-15507Remote Code Execution (RCE) – CVE-2020-15505Bypassing the authentication measures in place remotely – CVE-2020-15506
All of these were reported to MobileIron in March and a patch was released by the company afterward on June 15th, 2020. However, since it happens to be one of the most used MDMs out there with almost 20,000 companies under its belt, it was essential to see how fast these user-companies adopt the patch.
In doing so, one of the companies monitored was Facebook where after 15 days of tracking them, it was found that no action was taken by their team. Keeping this in mind, Tsai gained remote access to Facebook’s server through a shell connection which is demonstrated in the video below:
Support the originator by clicking the read the rest link below.
