Facebook Senior Engineer Hacked by his Colleagues

Several Facebook employees successfully hacked the password of a senior engineer as part of a challenge to test the security of the site's administrative system. In order to do it they employed an evil twin wireless attack.

Last month Twitter settled with the Federal Trade Commission following an investigation into two security breaches that resulted in unauthorized individuals obtaining access to the site's administrative system. Both incidents occurred in early 2009 and involved the compromise of accounts belonging to Twitter employees.

The first incident was the result of a classic brute force dictionary attack against a weak password (happiness), while the second was based on social engineering and involved the hacker compromising a personal email account first. As a result, the micro-blogging site was barred by the FTC for the next twenty years from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information. It was also forced to implement a comprehensive security program, that will be subject to independent audits for the next ten years.

According to TechCrunch, a Facebook site reliability engineer named Pedram Keyani was inspired by Twitter incidents and challenged his colleagues to try and hack him in a similar manner, the end game being access to the site's administrative system. The "hackers" didn't bother with phishing attacks or trying to infect the engineer's computer with password stealing malware.

Instead they went straight to the place where he was most vulnerable, at home. There the "hackers" instrumented what is known as an evil twin attack. They installed a rogue access point, duplicated the settings of his wireless network - same SSID, same channel - and waited.

Being in the comfort of his home and with his guard down, Keyani logged into the rogue access point without realizing anything was wrong. Unfortunately, his colleagues had a traffic snooper installed on the AP, which captured everything, including his Facebook password in plain text.

Keyani considers the test a success, which proves the strong security model of the site. "While they were able to access my personal Facebook account, they were not able to use this information to access any other account on Facebook," he told TechCrunch.

You can follow the editor on Twitter @lconstantin