14 DAY TRIAL // Security experts at Facebook worked together with the FBI to track down a child predator the social network has been monitoring for years, eventually being able to determine its location using a zero-day in the video player installed on his operating system.
Buster Hernandez, who has already been charged and arrested in August 2017, used Tails Linux OS to remain anonymous while connected to the Internet, but according to a report from Vice, he often turned to Facebook in an attempt to extort underage girls for nude photos and videos.
He also sent several threats for rape and terrorist attacks, but Facebook failed to track him down because of the operating system that powered his system and which routed all traffic through the TOR network.
The report reveals that the FBI itself tried to break into the child predator’s computer several times but failed to do so due to the security measures put in place and powered by Tails. The social network eventually stepped in and worked together with an unnamed third-party to develop an exploit for a zero-day discovered in the video player pre-loaded in Tails.
Facebook never reached out to Tails
One of the victims then sent the child predator a crafted video file that was used to trigger the exploit, eventually helping the FBI determine Hernandez’s IP address, track him down, and arrest him.
Vice also reveals that Facebook never reached out to Tails to report the security bug, and what’s more, it’s unknown at this point if the FBI used the same exploit against other potential targets. The Bureau has remained completely tight-lipped on everything so far, so the bug in the security-focused Linux distro is likely still unpatched, with both the FBI and Facebook believed to be in possession of the code that could help break into computers running it.
According to the report, Facebook engineers have mixed feeling as to whether the social network’s approach was the right one, and while some say the company shouldn’t have paid to go after a child predator, others believe this was the only way to go given the repeated threats sent by Hernandez to his victims.
Tails version 4.8 is scheduled to launch on June 30, but right now, it’s not yet clear if a patch for this zero-day is supposed to be part of the release or not and if the company is aware of the vulnerability.