Security Researcher Makes His Point By Hacking Into Zuckerberg's Facebook Page

Eugriped3z writes "Whitehat Palestinian hacker Kahlil Shreateh submitted a bug report to Facebook's Whitehat bug reporting page not once, but twice. After it was ignored the first time and denied outright on the second occasion (which included links to an example as proof), he hacked Mark Zuckerberg's personal timeline, leaving both an explanation and an apology. From the article: 'In less than a minute, Shreateh's Facebook account was suspended and he was contacted by a Facebook security engineer requesting all the details of the exploit. 'Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it,' the engineer wrote in an email. 'We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue.' Facebook has a policy that it will pay a minimum $500 bounty for any security flaws that a hacker finds. However, the company has refused to pay Shreateh for discovering the vulnerability because his actions violated Facebook's Terms of Service.'"

Take it public

[scubamage]

Screw them, the onus is on them to take action when someone reports a bug. If you don't have enough information when there is a security problem, maybe, JUST MAYBE, you should follow up with the submitter. If I was the submitter I'd just publish the exploit and be done with it.

Re:Take it public

[gl4ss]

They don't follow up on anything, I checked.

It might be because they're so swamped or maybe it's that if they feel like it's not their bug then they don't do anything. Either way not very responsive.

Re:Take it public

[SQLGuru]

I read the guy's own post about it. He reported what he could do and not the steps required to exploit it. The Facebook team couldn't reproduce it as a bug (since there were no repro steps) and closed it as "not a bug".

So really, the problem was one of communication. The guy has the problem a lot of my clients/users have in that they don't give enough detail to investigate the bug and Facebook didn't really follow what he was trying to say (since he just sent them links saying "look what I did"). I'm not saying he didn't legitimately find an exploit and probably deserves some bounty ($500 is nothing to a company like Facebook), but Facebook should probably have some guidelines for how to submit bugs.

Aside - what any bug report needs:
* What action were you taking?
* What result did you observe?
* What result did you expect?
* Are there specific data values that always exhibit the symptom?
* Are there specific data values that do not exhibit the symptom?
* Reproduction steps (be as detailed as possible)
* Any other useful details about the bug (error messages, screen shots, etc.)

Re:Take it public

I'm a QA analyst, and the quote: "We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue." is totally incorrect. An issue does not have to be reproducable in order to warrant some debugging and investigation.

Re:Take it public

[Skapare]

If YOU could read the guy's post, then that would be the WRONG place for him to put the details about how to reproduce it. Facebook engineers should have contacted HIM, directly, by a secure means, to get those details. If Facebook engineers expect exploits to be posted in a public forum, then it is THEY who are doing this wrong.

Re:Take it public

I'm a programmer and it really depends on the severity of the issue. Without steps to reproduce, finding the cause of an issue can sometimes be like finding a needle in a haystack. So, if it's not a big deal, it's not worth the effort.

Re:Take it public

[Opportunist]

The severity of a problem determines whether it pays to investigate. An odd crash once a week with no repeatable underlying condition and no data loss doesn't warrant a through investigation.

A severe security hole DOES! Almost invariably. Anything that allows an attacker to gain access in some way IS a reason for an investigation. The crucial point here is that undoing the damage is nearly impossible. With a crash, you can reenter the data and undo the damage. With a security breach, the data is out and there is NO way you can undo the damage, once data is out, it IS out.

Re:Take it public

[Opportunist]

'scuse me, but 500 bucks is peanuts for a 0day full-access security hole in FB. Tack a few 0s to that and we'll start talking.

Re:Take it public

I'm a programmer too. You ALWAYS respond to issues, even if it's just, "Can't Reproduce: Not enough info in bug report."

Re:Take it public

[GNious]

This is why you change the Bug Status from "New" to "Need More Information", and NOT to "Closed" or "Get Lost, Ass".

Re:Take it public

[dgatwood]

No, not almost invariably. Invariably. You always follow up on security hole bug reports. Always. If you do not do this, you are incompetent. Assuming this security researcher gave them a reasonable amount of time (the summary here doesn't say), then this is once again a demonstration of Facebook talking "secure" but implementing the opposite, hyping their bounty program while refusing to pay out.

For that matter, you should always follow up on non-security bug reports unless they're obvious garbage (e.g. porn site spam submitted to your bug reporting page by a bot). But security bugs? There's no excuse for not following up on those. Ever. EVER.

Re:Take it public

[Rob+the+Bold]

I'm a QA analyst, and the quote: "We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue." is totally incorrect. An issue does not have to be reproducable in order to warrant some debugging and investigation.

Maybe they just don't have the technology to request additional info from the reporter. Maybe that's not part of the protocol there. If it were my job to handle bug reports and I didn't want to be hassled with work, I'd require a complete bug description, including exact description of systems used and all steps to reproduce reported in exactly the format I'm expecting. I'd also make sure my instructions and description of the report format were just a little vague, so the user would be forced to fill in the blanks, further reducing the odds that the report would be "valid". Maybe I'd require some info that most bug reporters would think irrelevant or inapplicable to most bugs -- you know, just to tempt them to skip that part. Then I could pretty much close every ticket with "can't reproduce" and screw around on facebook all day -- for quality assurance purposes, of course.

Re:Take it public

[freezin+fat+guy]

They don't follow up on anything, I checked.

Nobody enjoys following up on things in which they have absolutely no interest.

Facebook have proven exceedingly reliable at not caring about their user's security or privacy.

Having living proof of a hack is especially annoying because it actually forces them to respond and improve user security. Fankly, I'm surprised they are pressing charges.

Re:Take it public

[fzammett]

Exactly, and I'm surprised people are arguing anything but this. Even for a report that you completely believe to be bogus, what time does it take to reply "hey, can I get more info?" Best case, it WAS bogus, and you never hear from the person again. You "wasted" all of 30 seconds. For a company like Facebook, that should be a trivial investment when the downside of an ACTUAL security problem is so bad. Assuming the report that they didn't reply in any way is accurate, then THIS is where Facebook fell down worst, and it's what is inexcusable.

Re:Take it public

[Frobnicator]

Assuming the report that they didn't reply in any way is accurate, then THIS is where Facebook fell down worst, and it's what is inexcusable.

Seems like Facebook employees forgot the reason they pay for the bounty program in the first place. It is to provide an incentive to report it to the company rather than reporting it to the black market for exploits.

A few seconds on Google will show the going rates of black market zero-day exploits for various services. Facebook was offering $500, but now won't pay. Black market rates he can still get about $40,000. (Note that $500USD is a year's salary in most of Pakistan.)

If he doesn't have the ethics, or if he really wants the money and thinks being in Pakistan makes him outside Facebook's reach, he can still get about 80 years' salary ($40,000) on the black market.

Won't pay?

[schneidafunk]

Seems to me that Mark is just pissed at being embarrassed, there really is no justification for not paying him. He submitted the bug to their security team first before exploiting it in a harmless way.

Re:Won't pay?

[Nerdfest]

Perhaps they should pay him extra and thank him ... he could have done much, much, worse, and from a dummy account. He quite obviously wanted to help. Being a dick to people trying to help you is not a great way to encourage others.

Re:Won't pay?

[schneidafunk]

Exactly. You raise a good point, he used his personal account, which ended up getting suspended.

Re:Won't pay?

[afidel]

Ding! Next time maybe he sells it on the black market instead of trying repeatedly to inform a company that obviously doesn't give a crap about security.

Re:Won't pay?

[IronOxen]

Actually, he also exposed a bug in the bug reporting system that prevents it from responding to and or acknowledging the exact type of vulnerabilities it was designed to find. It was obviously repeatable since the vulnerability was reported twice and was ignored both times. He should be paid for that one as well.

Re:Won't pay?

[Nemesisghost]

So you are saying they should pay him and thank him, because he committed a worse offence than he did?

Yes. He tried to use their own method for reporting such problems. If he had just hacked it outright before telling them, then that'd be a different story. But when a company fails to use the information provided to them from their own communication channels, especially when it seems that they did so to screw someone out of a reward, then they deserve what they go & should still pay up.

Re:Won't pay?

[ArhcAngel]

Hacking into someone's account is a criminal offence.

It was not hacking since Facebook said themselves it was not a bug. Therefore it must be a feature and taking advantage of a feature is not hacking. Now if someone were to take advantage of that feature on my account I would sue Facebook for providing said feature and point to their own forum as evidence.

That's a catch 22

[i+kan+reed]

Post what you know to their white-hate system: not reproducible with that information. No money.
Reproduce it yourself: violating TOS. No money.

Re:That's a catch 22

[Nerdfest]

Sell it on the open market, plenty of money.

Re:Devil's Advocate

[bill_mcgonigle]

As for not paying him, aren't these bug bounty systems meant to foster responsible disclosure? I'm pretty sure leveraging an attack you found does not count as such.

It's not 'leveraging an attack' when it's demonstrating the veracity of the claim, to a higher-up employee's wall because the lower level employee ignored you. If there's a problem with his behavior it's that he first posted on the wall of a friend of Zuck, who is not an employee and outside the bug reporting transaction. That was stupid, but a post to Facebook Security's page seems like fair game to demonstrate a problem.

That said, his bug report was complete shit and barely distinguishable from spam. How can he have an IS degree if he can't even write a decent bug report?

A great way to alienate the white-hat community.

[fuzzytv]

Good work, Facebook! Kinda resembles what happened at GitHub ~18 months ago: http://www.zdnet.com/blog/security/how-github-handled-getting-hacked/10473

If someone from Facebook reads this, and it's TL;DR; here are the next steps:

#1 apologize to the guy, acknowledge he reported the issue twice
#2 reinstate the account and pay him his reward
#3 fix the damn issue

500 USD?

[ebonum]

What a joke. Face book should fire the guy costing 150,000 USD a year ( take home pay and all in cost to FB are not the same ) who wrote the offending code.

500 USD for a bug is an insult. How much do their QC people make a month? They failed, and they are getting a lot more than 500 USD.

Re:500 USD?

[Impy+the+Impiuos+Imp]

$5000 would be a better starting bounty. What are they expecting, 100,000 bugs?

Re:Guilty of being Palestinian

[Chris+Mattern]

$0. They didn't give him money becuase a) it was a shit bug report and b) corporations are innately averse to giving out money to *anybody*, even if there's a policy saying they have to. Palestine has nothing to do with it.

Re:Not illegal

[CanHasDIY]

So, American laws now apply to foreign nationals who are not in America?

A) Have you been sleeping the past decade or so? If the non-American government acquiesces to the US Government demands, then yes, apparently they do. Not that I agree with the practice.

B) The dude in question is a Palestinian. Really, if you know anything about US/Isreali/Palestinian relations, that should be all I have to say.

The childishness in the center of your statements was completely without necessity.

Re:This is so bad

[dgatwood]

This. As soon as a bug bounty program is shown to not actually pay out when a real security flaw is found, it becomes a worthless program. From now on, instead of telling Facebook, the not-insignificant percentage of hackers for whom the bounty was the only reason to report it to FB will simply disclose the flaw immediately, resulting in a significant reduction in the site's security for everyone.

BS..

[SuperDre]

Have you people actually seen the email-conversation between him and facebook?
Well if you have, you know HE is just a moron for making it public as he didn't send facebook a step-by-step on how to recreate the bug, all he did was say 'he I can post a message on someonelses wall without being a friend'.. and after facebook asked some details all he did was post a link to a post he made.. the man is a moron, if he's a "security researcher" then he should at least know how to do a proper bug-report.. Facebook get's so many fake bug-reports (with photoshopped images) from people who hope they can get a bounty..