They got past Facebook's security, ergo Facebook has a security problem. The fact they used the clever technique of breaking into the security manager's home network is neither here nor there. This could have been fixed by, for example, requiring the engineer access any admin systems via a VPN or other secure tunnel (or only on-site)† and ensuring he doesn't use the same password for admin functions as anything else. Both of these are simple, straightforward, best practice security measures, so it's fair to say Facebook's security is bad.
† It isn't clear whether he accessed work-related stuff from home or not; it may just have been he reused a password between his internet accounts and his facebook roles.
Since Facebook uses SSL for authorization, an educated guess would be that they somehow intercepted the homepage of Facebook (which is not SSL-encrypted), and replaced with a phishing web page.
> Even though the title says the employees succeeded to bypass Facebook security, it seems they did so by breaking into the user's home network.
It's a great reminder that security can often be easily circumvented when using a "human weakness" (ie: corruption on so who has access to the system, passwords on post-its), than the system itself.
Which means next to nothing if the page with the login form isn't encrypted. A man in the middle attack would just replace the Facebook login page, and the user would likely never notice.
Isn't this common? They are employees of the company so they should understand different weaknesses of the code and should be able to exploit them.
When I was working at (huge tech company with 8000 employees) we did the very same thing and we were able to get full root-access to our SAAS servers from finding our .svn folders to get a full dump of the system code, then grepping through that code to find system level exec commands.
I would be more surprised if they (facebook or the old company I worked for) had found nothing.
Ok hold up. There is a BIG difference between TARGETED attacks like the one described and security holes. A targeted attack like the one described will work on ANY system PERIOD. Hell he may as well have had his bank accounted hacked and complained to citi/chase/ing/etc. The point is such hacks are bogus when it comes to "hacking facebook."
However such things are still useful since HE will be targeted if people really want to hack FB. So then vuala they found a employee who is a vulnerability and thus will try to close that hole.
I am more interested in hacking facebook from a pure-user perspective. Getting information from a random user. See how far it can be taken. That is more interesting. Saying that "if someone waiting to get hacked got hacked, then a random joe will definately get hacked" is bogus. This sort of targeted attack will get through most secure networks period.
It is not clear whether they actually got in due to bad security on Facebook's part, or simply because they had access to the compromised computer.