Security Researcher Makes His Point By Hacking Into Zuckerberg's Facebook Page

Eugriped3z writes "Whitehat Palestinian hacker Kahlil Shreateh submitted a bug report to Facebook's Whitehat bug reporting page not once, but twice. After it was ignored the first time and denied outright on the second occasion (which included links to an example as proof), he hacked Mark Zuckerberg's personal timeline, leaving both an explanation and an apology. From the article: 'In less than a minute, Shreateh's Facebook account was suspended and he was contacted by a Facebook security engineer requesting all the details of the exploit. 'Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it,' the engineer wrote in an email. 'We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue.' Facebook has a policy that it will pay a minimum $500 bounty for any security flaws that a hacker finds. However, the company has refused to pay Shreateh for discovering the vulnerability because his actions violated Facebook's Terms of Service.'"

Google has a much better bounty program...

[slashkitty]

They pay $7,500 for an XSS bug, more for more serious bugs. Facebook better think about their program before a more serious bug is made public or exploited privately.

Re:Take it public

[X0563511]

Hell you should at least respond to the reporter! "Can you provide more detail?" and then waiting for said detail is infinity better than ignoring or rejecting it.

Re:Take it public

[jovius]

Incidentally I was just reading about the issue... Market research numbers from last year.

$5000 - $30,000 Adobe Reader
$20,000 - $50,000 Mac OSX
$30,000 - $60,000 Android
$40,000 - $100,000 Flash or Java Browser Plug-Ins
$50,000 - $100,000 Microsoft Word
$60,000 - $120,000 Windows
$60,000 - $150,000 Firefox or Safari
$80,000 - $200,000 Chrome or IE
$100,000 - $250,000 iOS

Re:Take it public

Exactly. I once reported a bug which caused corruption of Linux configuration files. A simple change through an approved interface would eventually cause the keyboard to stop working because a configuration file was corrupted, making even rebooting a problem. I even got my company IT department involved to figure out what was going on. (The discovered the corrupted configuration file.) To recover it seemed the only path for me was to reinstall the OS. I'm not a Linux developer at all, just a victim of the bug, but I wanted to be helpful. I spent about 10 hours over several days attempting to reproduce the bug and eventually got it down to a series of steps with a 70% likelihood of causing the problem. I decided to report it through proper channels ... do A, B, and C and notice that this file is corrupted at this location. I figured I'd given someone enough information for a knowledgeable person to act on and was kind of proud of myself for going out of my way to help instead of just ranting about the horrible state of Linux.

The result was a message from the development team asking me to take the bug and work on a fix. When I responded that I wasn't in any position to do that I got a nasty "won't fix" status on the bug an a sarcastic remark that "that's the way the community works. If you want a bug fixed then you have to be willing to work on it yourself."

l figured the time I had put in to reproduce the problem and report it was my contribution. I don't know if it ever got fixed. I don't care. /rant

TL:DR When someone reports a bug and gives even the slightest details of how to reproduce it or indicates the consequences of the bug are serious, don't just slap him in the face and tell him to get lost. If you need more information then ask for it.