Facebook Security Reveals Zero-Day Java Attack
It's never good when you have to make an official report to the public about a hacker attack your multi-billion dollar social network has had. That's what's happened this week as Facebook's Chief Security Officer Joe Sullivan lets it be known that several engineers on staff with Facebook had been the subject of a zero-day Java exploit. The good news is that no customer data was exposed (that's your stuff), the bad news is that Facebook wasn't the only company targeted by this attack.
According to Sullivan, this attack worked as a "watering hole", using an unnamed "popular mobile developer Web forum" as a trap for unsuspecting visitors. When the first user on Facebook's engineering team visited the site, that engineer tripped a wire, so to speak, that let the zero-day Java exploit begin to take hold of machines at Facebook. The attack here is related back to a Java exploit documented by Oracle earlier this month.
Similar attacks have been popping up recently in several places, one of them relating to Twitter's recent incident in which 250,000 account passwords were stolen. Another related event occurred with Mozilla as they made Java instances blocked by default – can't be too careful!
With the Facebook situation it would appear that even the patch from Oracle wouldn't have helped the engineers as Sullivan notes that this attack was "injected into the site's HTML." In this case any user visiting the site with Java enabled would have been infected, bar none. This situation did allow the hackers to gain access to some "corporate data, email, and come software code." How much and how serious this breach really was is not being made entirely clear.
What is being made clear by Sullivan is that Facebook's engineers are attempting to reduce the amount of products they use that are dependent on Java. Of course that's not the end of the story as the hacking attack community rolls on – a cat and mouse game ensues for all time. Check the timeline below for more Java-related history to see how one bit of software history may be on its way out.
[via Ars Technica]