{"id":19635,"date":"2016-05-04T14:00:05","date_gmt":"2016-05-04T12:00:05","guid":{"rendered":"https:\/\/owncloud.com\/?p=19635"},"modified":"2020-09-30T08:24:39","modified_gmt":"2020-09-30T08:24:39","slug":"blog-accellions-open-back-door-facebook-helps-illustrate-open-sources-worth","status":"publish","type":"post","link":"https:\/\/owncloud.com\/de\/blogs\/blog-accellions-open-back-door-facebook-helps-illustrate-open-sources-worth\/","title":{"rendered":"Accellion’s Open Back Door to Facebook Helps Illustrate Open-Source’s Worth"},"content":{"rendered":"

\"Hacker\"Companies open-sourcing their code often incur delays while they \u2018clean up the code\u2019 and the argument of \u2018poor or not acceptable quality code\u2019 is given as reason not to make it available to the public in the first place. Customers may want to ask themselves how they can trust products with hidden code given how frequently we hear about the low quality standards. Especially when it comes to security, code quality is a serious concern and a recent hack at Facebook shows why.<\/p>\n

Last week, a security researcher\u00a0disclosed how he hacked Facebook<\/a>\u00a0and found a running backdoor script from someone else. This event, and Facebook\u2019s attempt to downplay its importance, illustrates some of the benefits of open-source and industry best practices around security as we employ them at ownCloud.<\/p>\n

Motivation<\/h2>\n

Orange Tsai, an employee at the Taiwanese security firm Devcore, and previously known for a\u00a0Remote Code Execution issue on uber.com<\/a>, decided to spend some time trying to find a security issue at Facebook. He explained his motivation:<\/p>\n

\u201cWith the growing popularity of Facebook around the world, I\u2019ve always been interested in testing the security of Facebook. Luckily, in 2012, Facebook launched the\u00a0Bug Bounty Program<\/a>, which even motivated me to give it a shot.\u201d<\/p><\/blockquote>\n

Besides showing\u00a0the value of bug bounty programs<\/a>\u00a0again, it highlights what motivates many engineers: a challenge. The bigger and more impactful a technology, the more attention it gets.\u00a0With\u00a0<\/a>more than\u00a0<\/a>8 million users<\/a>, ownCloud is a very significant project in the open-source community, and benefits from the attention that this generates.<\/p>\n

Accellion\u2019s Open Back Door into Facebook<\/h2>\n

Upon researching the networks related to Facebook, Orange found a mostly-hidden files.fb.com site running Accellion\u2019s Secure File Transfer (FTA). After researching known exploits, he found\u00a0this exploit disclosure<\/a>\u00a0from some months ago. While FTA Facebook used was no longer vulnerable to this particular issue, it gave Orange an important clue:<\/p>\n

\u201cfrom the fragments of source code mentioned in the Advisory, I felt that with such coding style there should still be security issues remained in FTA if I kept looking.\u201d<\/p><\/blockquote>\n

His hunch turned out to be true. He quickly found 7 vulnerabilities which he then exploited to get into Facebook\u2019s network. After getting in, he looked around \u2013 and found something strange: an error message in the Apache webserver logs.<\/p>\n

Following the path, he discovered a script running on the server and gathering passwords, regularly retrieved from a third party server! Orange describes the actions of the other hacker quite well, and expressed some surprise that this was not discovered as he considered the setup he found pretty badly hidden.<\/p>\n

Facebook\u2019s Response<\/h2>\n

On Hackernews,\u00a0Facebook responded publicly<\/a>, thanking Orange for his work (he\u2019ll be rewarded with a USD $10K bounty!) and claiming:<\/p>\n

\u201cAfter incident response, we determined that the activity Orange detected was in fact from another researcher who participates in our bounty program. Neither of them were able to compromise other parts of our infra-structure so, the way we see it, it\u2019s a double win: two competent researchers assessed the system, one of them reported what he found to us and got a good bounty, none of them were able to escalate access.\u201d<\/p><\/blockquote>\n

Now here, I have to be a bit cynical: if this\u00a0\u2018other researcher\u2019<\/em>\u00a0truly was looking to earn a bug bounty, he\/she would not only have stepped forwards by now.\u00a0 More importantly, automatically gathering log-in data as described would not only violate the rules of the bug bounty program, it certainly goes further than a \u2018white hat hacker\u2019 is supposed to go. I can only guess that Facebook would rather not admit this\u2026<\/p>\n

How to do Better<\/h2>\n

A few interesting lessons come out of this disclosure.<\/p>\n

First of all,\u00a0bounty programs work<\/strong>\u00a0\u2013 without it, the potentially malicious hacker would still be gathering passwords and the bugs in Accellion\u2019s not-so-Secure File Transfer would not have been found.<\/p>\n

Second,\u00a0there\u2019s clearly a code quality problem in a proprietary product widely advertised for its security<\/strong>. Anybody with industry experience knows the state the code base of many internal projects is. Just note how often code quality is mentioned when companies want to open-source one of their products. You\u2019d do well to ask yourself how is it acceptable to sell something that the engineers themselves describe as \u2018unacceptable\u2019 just because the customer can\u2019t actually see the code. It also makes clear that open-sourced companies are widely recognized as having a much higher standard of quality.<\/p>\n

Why is this?\u00a0 Both for the pride of the company and its engineers, as well as more simple and practical considerations. Open communities like ownCloud have a large number of contributors joining and contributing code.\u00a0 Over 1000 people have contributed code to ownCloud, with between 80 and 90 doing so every month, about a quarter of whom are new! That\u2019s right; we get to introduce two dozen new programmers to the ownCloud code base every month. You can imagine how your code base has to be clean, well laid out, well documented and well supplied with automated and manual tests for that to work out. This allows ownCloud\u2019s new contributors to be able to get his or her code in within hours.\u00a0 Compare this to a typical proprietary project, where a new hire is expected to spend a few weeks getting up to speed.\u00a0 Our process and code base enables us to get 20+ volunteers to learn how to contribute to ownCloud each month!<\/p>\n

Obviously, the many more eyes on ownCloud code, combined with the quality of the code base and the clear and transparent processes has its effect on security as well.<\/p>\n

Does that mean our code is perfect? Not by any measure. We\u2019re more than willing to admit that the code as written might not be much better than what gets produced at a proprietary company like Facebook or Accellion, despite our clear review process and pressure to document and test the code. But, unlike at a closed competitor, our code is under constant public scrutiny. Both software engineering, and especially security, is incredibly hard to do right. Thanks to our open process, we benefit from the collective insight of the smartest minds, and this input, review and oversight is how we continuously improve our code.<\/p>\n

The fact that ownCloud is a\u00a0big, open<\/a>\u2013<\/a>source project<\/a>, following\u00a0security industry best practices<\/a>\u00a0and running a\u00a0security bug bounty project<\/a>\u00a0quoted as \u201cthe benchmark for a well-executed, successful HackerOne launch<\/a>,\u201d gives our users and customers the confidence that, yes, they are running a secure product.<\/p>\n","protected":false},"excerpt":{"rendered":"

Companies open-sourcing their code often incur delays while they \u2018clean up the code\u2019 and the argument of \u2018poor or not acceptable quality code\u2019 is given as reason not to make it available to the public in the first place. Customers may want to ask themselves how they can trust products with hidden code given how […]<\/p>\n","protected":false},"author":15,"featured_media":78665,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"categories":[48],"tags":[],"class_list":["post-19635","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"acf":[],"_links":{"self":[{"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/posts\/19635","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/comments?post=19635"}],"version-history":[{"count":0,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/posts\/19635\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/media\/78665"}],"wp:attachment":[{"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/media?parent=19635"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/categories?post=19635"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/tags?post=19635"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}