Slashdot Mirror
Security Researcher Makes His Point By Hacking Into Zuckerberg's Facebook Page
Eugriped3z writes "Whitehat Palestinian hacker Kahlil Shreateh submitted a bug report to Facebook's Whitehat bug reporting page not once, but twice. After it was ignored the first time and denied outright on the second occasion (which included links to an example as proof), he hacked Mark Zuckerberg's personal timeline, leaving both an explanation and an apology. From the article: 'In less than a minute, Shreateh's Facebook account was suspended and he was contacted by a Facebook security engineer requesting all the details of the exploit. 'Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it,' the engineer wrote in an email. 'We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue.' Facebook has a policy that it will pay a minimum $500 bounty for any security flaws that a hacker finds. However, the company has refused to pay Shreateh for discovering the vulnerability because his actions violated Facebook's Terms of Service.'"
Screw them, the onus is on them to take action when someone reports a bug. If you don't have enough information when there is a security problem, maybe, JUST MAYBE, you should follow up with the submitter. If I was the submitter I'd just publish the exploit and be done with it.
Seems to me that Mark is just pissed at being embarrassed, there really is no justification for not paying him. He submitted the bug to their security team first before exploiting it in a harmless way.
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
...people are still using Facebook?
I would think that $500 is pretty cheap.. Why piss off everybody who might help you?
So is he going to respond by firing some rockets at them?
Post what you know to their white-hate system: not reproducible with that information. No money.
Reproduce it yourself: violating TOS. No money.
The messages he sent to facebook's bug reporting system read a lot like spam. The first two started with: "my name is khalil shreateh.
i finished school with B.A degree in Infromation Systems . "
Can't really blame them for not taking it too seriously to begin with. As for not paying him, aren't these bug bounty systems meant to foster responsible disclosure? I'm pretty sure leveraging an attack you found does not count as such.
After Facebook's stock plummet, Mark is pretty hard up for cash; maybe Kahlil Shreateh could cut junior some slack? Lets "face it", super hero underware for staff members is not cheap?
How much you want to bet it's because they don't want to be seen giving money to someone in Palestine?
Facebook has a policy that it will pay a minimum $500 bounty for any security flaws that a hacker finds.
That's absolutely not worth the money. He's better off taking the publicity he got from this and turning it into a high-paying job.
"First they came for the slanderers and i said nothing."
Because we all know that any security exploit that breaks the TOS would never be used by a Black Hat.
Could the true reason be that palestine is being embargoed by the U.S. and Facebook can't send the guy money even if they wanted to?
Good work, Facebook! Kinda resembles what happened at GitHub ~18 months ago: http://www.zdnet.com/blog/security/how-github-handled-getting-hacked/10473
If someone from Facebook reads this, and it's TL;DR; here are the next steps:
#1 apologize to the guy, acknowledge he reported the issue twice
#2 reinstate the account and pay him his reward
#3 fix the damn issue
What a joke. Face book should fire the guy costing 150,000 USD a year ( take home pay and all in cost to FB are not the same ) who wrote the offending code.
500 USD for a bug is an insult. How much do their QC people make a month? They failed, and they are getting a lot more than 500 USD.
Looks like Facebook is rapidly declining into the corporate morass. WAKE UP Facebook!!
#4 fire whoever is responsible for him being ignored.
now we need to go OSS in diesel cars
Refusing to pay because it violates terms of service? Wait wait, I'm now convinced all my online details are safe. Afterall the terms of service protects me from dishonest hackers, right?
sarcasm is harder. wow people are touchy
I mean, you ask people to send bugs to you, you even offer to pays.. and now for obscure reason you don't? And after that you want me to "trust" you?
Hacker are not people who follow "rules" and/or TOS. That's why they find bugs!
you know who you are
You were warned repeatedly and ignored it. FU.
Fire the idiot(s) who denied the bug existed and hire Kahlil to replace them. Simple.
I think you are mistaking illegal versus violating terms of service. He did nothing illegal.
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
He should sit on it, and let them stew over it waiting for the head cheese to come down on them for not fixing it.
Then repeat his feat again next week to remind the head cheese to take action.
Nonsense. My web site has perfect security. OK, it has zero reachability, but hey, you have to pay a price. ;-)
They pay $7,500 for an XSS bug, more for more serious bugs. Facebook better think about their program before a more serious bug is made public or exploited privately.
-- these are only opinions and they might not be mine.
Or Judge Judy. AFIK no lawyers allowed.
Well what did he expect
When a Palestinian goes and invades the home (page) of someone called Zuckerberg.
Is despicable and horrible and would never happen in the real world.....oh hang on a minute
Don't tell them how it was done. No threats, no extortion, just don't tell them. Let them figure it out on their own dime.
FB is so for iPhone using grandparents that even their engineers don;t take threats seriously... really is anyone still using that thing?
As a shareholder, I support this statement!
FB is so for iPhone using grandparents that even their engineers don;t take threats seriously... really is anyone still using that thing?
You should check it out, you'd probably like it. With grammar like that, you'd fit right in!
"First they came for the slanderers and i said nothing."
In a commercial testing context, the submitter has a much bigger obligation and level of accountability. If he opens a bug, that bug should be treated unequivocably as a real problem and should be closely examined. Also, the submitter is obligated to respond and work together with the developer. The submitter also can be trusted to more accurately indicate the severity of a problem.
In an open bug tracking system, things change. People will file bugs with almost no detail that might be a real problem or just some rant abusing a bug tracker as a soap box. Attempts to request follow up information are frequently not responded to as the submitter just fired and forgot. As such it's easy to get a bit distrusting of legitimacy of reports knowing that most of the time it isn't an actionable report and that trying to solicit feedback that would change the situation will be fruitless.
So for not closing this exploit, FB is in SERIOUS SHIT with the law for their millions of users.
What they meant to say was "That report is received by an intern who doesn't give a damn because we don't take security seriously."
Seems to me, the "bureaucrat" responding to the bug report should be fired and Kahlil should be offered a job.
Good to see they're still proactive. Somewhere around 2009 I came across a phishing scam to catch Facbook logins. On a whim I dug around the fake login page and I was able to glean over 15 thousand people's login info. I went to Facebook to do the right thing: "Hey, so and so is running a phishing scam and has their payload open to the WORLD.. might want to notify these thousands of people". The reply? A canned response: "So you are having trouble with your password information ..."
What a joke.
Nonsense. My web site has perfect security. OK, it has zero reachability, but hey, you have to pay a price. ;-)
Ahh, the "Switched off and unplugged locked in a titanium lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards" security model. A wise choice.
I can buy that the submitted report "did not have enough technical information" to take action, but your response is ... uh, eh fuck it?
How about you follow up by contacting the submitter for more information.
Hacker: I found a major exploit in your system. Here are the details.
Facebook engineers: (to themselves) Shit, he may be right but we can't reproduce it and we don't want to get into trouble. Just sweep it under the rug.
Hacker: I filed a major bug report and you didn't respond, here are more details in case you needed more help.
Facebook engineers: (to themselves) Oh fuck. That is going to be a lot of work to fix. File this one under the rug again. I hope I get a better offer from Google or Apple before the shit hits the fan.
Hacker: (hacks Zuckerberg's account) That will get their attention.
Zuckerberg to FB engineers: WHAT THE FUCK! How did this happen! I want answers now or heads start rolling!
FB engineers: Shit Shit Shit Shit Shit... contact that guy and see what he did ASAP! Oh god oh god oh god..........
Facebook/Zuckerberg: This is a major embarrassment but I still don't want to give that little bastard any credit for exposing our laziness. Reward denied.
This is probably worth the risk of seeing more aggressive hackers in the future.
Have you people actually seen the email-conversation between him and facebook?
Well if you have, you know HE is just a moron for making it public as he didn't send facebook a step-by-step on how to recreate the bug, all he did was say 'he I can post a message on someonelses wall without being a friend'.. and after facebook asked some details all he did was post a link to a post he made.. the man is a moron, if he's a "security researcher" then he should at least know how to do a proper bug-report.. Facebook get's so many fake bug-reports (with photoshopped images) from people who hope they can get a bounty..
IANAL, but this case sounds like it might be a good candidate for an unjust enrichment lawsuit. If Zuckerborg refuses to pay the $500 bounty on the grounds that FB terms of use were violated, then shouldn't they pay the hacker "fair market value" for identifying the bug? After all, FB openly solicited bug reports from the general public with a promise of compensation. And did FB not implement new safeguards after they found out the exploit was legitimate, as evidenced by Zuckerberg's hacked page?
If my neighbor hires a painter, and the painter paints my house instead of my neighbor's house, and I stand by and watch the painter work on my house without informing the painter he is working on the wrong house, then I am obligated to pay the painter the amount he would have charged my neighbor for the work performed. Absent any written agreement, the amount due would be based on the fair market value of the labor performed plus a generally accepted markup for the cost of materials.
So now I'm curious, what would be the fair market value for finding an exploit that would allow a hacker to alter Mr. Zuckerberg's own FB page? Given that the IRS can tax certain unsaleable items based on "illicit market" value, could the "street value" of Mr. Shreateh's findings be considered for valuation given that there is no "fair" market value, since such a value implies that there exists a market, meaning more than one possible customer legally able and willing to make an offer for such findings?
Read more: http://lancasteronline.com/article/local/607346_IRS-values-stolen-or-illegal-items-at-black-market-rate.html#ixzz2cRIxNEoC
So what you are saying is that you are a script kiddie and can be safely ignored because you are zero technical skills
Mark considers himself a haxor, so do many others that use his app. Some are smarter then others, this one proved he was, and went so far as to show the creator of facebook he was, instead of 500$ , I would have asked for a job, and some cigars, love those cigars, and maybe a bottle of tequila.... but never money!
Its the principle of it all
Some programmers are just arrogant people who assume everyone else is stupid and that it's always user error. I've worked for a large Norwegian browser company which I won't name, and it was the same thing there. No matter how detailed the bug report, and despite the fact that I was sitting less than 40 meters away so they could just have popped in for a demonstration, a lot of the reported bugs would just be closed with "cannot reproduce". It's just incredibly frustrating to work with people like that.
This XKCD seems appropriate. The first time I saw it I almost fell out of my chair laughing. At my previous company I practically had to write a doctoral thesis to get simple obvious bugs fixed.
Perhaps Shreateh can get asylum in Russia.
Have gnu, will travel.
He reported the bug BEFORE he violated the facebook TOS.
So Facebook is just using the TOS violation as an excuse for *retroactive* denial of the bounty *he had already earned*.
Realisitically, what are the chances that even the most vile possible behavior by Facebook will even scratch their bottom line?
Facebook delenda est.
"However, the company has refused to pay Shreateh for discovering the vulnerability because his actions violated Facebook's Terms of Service.'"
Sounds like a great idea....deny the hacker who got into your system $ 500.00. Can't imagine what he might try to hack into next...........ca-ching. (still laughing tho...violated FB TOS.....smh)
Perhaps it has not bubbled up, but I am surprised that no one has mentioned that "days open" is one of the primary bug tracking metrics, which makes for a strong incentive to close bugs as quickly as possible. When you find yourself in a department that is judged on how fast bugs are closed, you start to realize that the easiest way to protect your "days open" metric is to not open bugs until you have to. In some cases, that means asking for more data from the submitter; in other cases that means rejecting the bug as not reproducible.
The sad fact is that implementing performance metrics raises an incentive to game the system.
Fuck Facebook.
Don't give them the information tell them to fuck off !
a jew's company really has refused to pay a palestinian money, and now spend real time and energy trying to make it look like the palestinian's fault. You couldn't script it.
If Facebook won't pay him the $500, we should pass the hat around. Such chutzpa should be encouraged.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Without the guards.
The guards can still be paid off; even if you pay them well; since well is less than infinite; and that means there is some value of money between well and infinite that they can be offered.
Oh, come on moderators. -1 offtopic? I'm exactly on topic responding to parent. Is it because you find him funny (and totally unable to understand gpp), but the truth is too inconvenient for you?
I speak bad about Palestine (which has epic violence problems), and it doesn't matter that I throw Israel under the bus too? I spoke bad about the "victims" therefore I must be a bad person, and must be modded down? There is no excusing anyone who stands up for the violent, hateful, racist scumbags that shoot rockets from Palestine at Israel's civilians.
If they wanted real change, the rest of the world is ready to be sympathetic... but can't be while Palestine's moron population is trying to prove just how terrible it can be. The murderous lunatics are only slowing peace down. The real victims are the dead and suffering, on both sides of the wall. Yes, I guess I actually am calling for people to think of the children.
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
1) Create dummy account. Monitor the account at least daily.
2) Invite people to hack dummy account, with an objective of either finding information not shown to public or adding a "contact me" message to dummy account.
3) If a person manages to do anything of such to dummy account, consider the hack valid and request further information.
4) After any such disclosure or after every month, do a full reset of account with new passwords and such.
You're an idiot if you use anything he's involved with
The man is a scumbag.
I hope some of you are able to read the "security researcher's" two disclosures to Facebook. In broken English they both basically said "I figured out how to hack you. I'm a student who can't find work. Give me my reward." with zero proof. Facebook handled this case appropriately. First time I've ever said that.
Plain and simple : they PUBLISHED the fact that they pay people who find and report security flaws and OPENLY ignore reports? Seems like they're hanging on to their $500 by skin of their grimey lying teeth. I hate Facebook and now admire this guy. They should pay him MORE than $500 for having to go thru the trouble of hacking their stupid page. I hate to know how many times this happens from people who aren't just trying to REPORT THE BUG :/ Good Grief