Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Researcher Makes His Point By Hacking Into Zuckerberg's Facebook Page

Posted by samzenpus on from the do-you-see-it-now? dept.

Eugriped3z writes "Whitehat Palestinian hacker Kahlil Shreateh submitted a bug report to Facebook's Whitehat bug reporting page not once, but twice. After it was ignored the first time and denied outright on the second occasion (which included links to an example as proof), he hacked Mark Zuckerberg's personal timeline, leaving both an explanation and an apology. From the article: 'In less than a minute, Shreateh's Facebook account was suspended and he was contacted by a Facebook security engineer requesting all the details of the exploit. 'Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it,' the engineer wrote in an email. 'We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue.' Facebook has a policy that it will pay a minimum $500 bounty for any security flaws that a hacker finds. However, the company has refused to pay Shreateh for discovering the vulnerability because his actions violated Facebook's Terms of Service.'"

22 of 266 comments (clear)

  1. Take it public by scubamage · · Score: 5, Insightful

    Screw them, the onus is on them to take action when someone reports a bug. If you don't have enough information when there is a security problem, maybe, JUST MAYBE, you should follow up with the submitter. If I was the submitter I'd just publish the exploit and be done with it.

    1. Re:Take it public by gl4ss · · Score: 4, Insightful

      They don't follow up on anything, I checked.

      It might be because they're so swamped or maybe it's that if they feel like it's not their bug then they don't do anything. Either way not very responsive.

      --
      world was created 5 seconds before this post as it is.
    2. Re:Take it public by SQLGuru · · Score: 5, Insightful

      I read the guy's own post about it. He reported what he could do and not the steps required to exploit it. The Facebook team couldn't reproduce it as a bug (since there were no repro steps) and closed it as "not a bug".

      So really, the problem was one of communication. The guy has the problem a lot of my clients/users have in that they don't give enough detail to investigate the bug and Facebook didn't really follow what he was trying to say (since he just sent them links saying "look what I did"). I'm not saying he didn't legitimately find an exploit and probably deserves some bounty ($500 is nothing to a company like Facebook), but Facebook should probably have some guidelines for how to submit bugs.

      Aside - what any bug report needs:
      * What action were you taking?
      * What result did you observe?
      * What result did you expect?
      * Are there specific data values that always exhibit the symptom?
      * Are there specific data values that do not exhibit the symptom?
      * Reproduction steps (be as detailed as possible)
      * Any other useful details about the bug (error messages, screen shots, etc.)

    3. Re:Take it public by Anonymous Coward · · Score: 5, Insightful

      I'm a QA analyst, and the quote: "We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue." is totally incorrect. An issue does not have to be reproducable in order to warrant some debugging and investigation.

    4. Re:Take it public by Skapare · · Score: 5, Insightful

      If YOU could read the guy's post, then that would be the WRONG place for him to put the details about how to reproduce it. Facebook engineers should have contacted HIM, directly, by a secure means, to get those details. If Facebook engineers expect exploits to be posted in a public forum, then it is THEY who are doing this wrong.

      --
      now we need to go OSS in diesel cars
    5. Re:Take it public by Opportunist · · Score: 5, Insightful

      The severity of a problem determines whether it pays to investigate. An odd crash once a week with no repeatable underlying condition and no data loss doesn't warrant a through investigation.

      A severe security hole DOES! Almost invariably. Anything that allows an attacker to gain access in some way IS a reason for an investigation. The crucial point here is that undoing the damage is nearly impossible. With a crash, you can reenter the data and undo the damage. With a security breach, the data is out and there is NO way you can undo the damage, once data is out, it IS out.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    6. Re:Take it public by Anonymous Coward · · Score: 5, Insightful

      I'm a programmer too. You ALWAYS respond to issues, even if it's just, "Can't Reproduce: Not enough info in bug report."

    7. Re:Take it public by GNious · · Score: 5, Insightful

      This is why you change the Bug Status from "New" to "Need More Information", and NOT to "Closed" or "Get Lost, Ass".

    8. Re:Take it public by dgatwood · · Score: 4, Insightful

      No, not almost invariably. Invariably. You always follow up on security hole bug reports. Always. If you do not do this, you are incompetent. Assuming this security researcher gave them a reasonable amount of time (the summary here doesn't say), then this is once again a demonstration of Facebook talking "secure" but implementing the opposite, hyping their bounty program while refusing to pay out.

      For that matter, you should always follow up on non-security bug reports unless they're obvious garbage (e.g. porn site spam submitted to your bug reporting page by a bot). But security bugs? There's no excuse for not following up on those. Ever. EVER.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    9. Re:Take it public by Rob+the+Bold · · Score: 4, Insightful

      I'm a QA analyst, and the quote: "We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue." is totally incorrect. An issue does not have to be reproducable in order to warrant some debugging and investigation.

      Maybe they just don't have the technology to request additional info from the reporter. Maybe that's not part of the protocol there. If it were my job to handle bug reports and I didn't want to be hassled with work, I'd require a complete bug description, including exact description of systems used and all steps to reproduce reported in exactly the format I'm expecting. I'd also make sure my instructions and description of the report format were just a little vague, so the user would be forced to fill in the blanks, further reducing the odds that the report would be "valid". Maybe I'd require some info that most bug reporters would think irrelevant or inapplicable to most bugs -- you know, just to tempt them to skip that part. Then I could pretty much close every ticket with "can't reproduce" and screw around on facebook all day -- for quality assurance purposes, of course.

      --
      I am not a crackpot.
    10. Re:Take it public by freezin+fat+guy · · Score: 4, Insightful

      They don't follow up on anything, I checked.

      Nobody enjoys following up on things in which they have absolutely no interest.

      Facebook have proven exceedingly reliable at not caring about their user's security or privacy.

      Having living proof of a hack is especially annoying because it actually forces them to respond and improve user security. Fankly, I'm surprised they are pressing charges.

    11. Re:Take it public by Frobnicator · · Score: 4, Insightful

      Assuming the report that they didn't reply in any way is accurate, then THIS is where Facebook fell down worst, and it's what is inexcusable.

      Seems like Facebook employees forgot the reason they pay for the bounty program in the first place. It is to provide an incentive to report it to the company rather than reporting it to the black market for exploits.

      A few seconds on Google will show the going rates of black market zero-day exploits for various services. Facebook was offering $500, but now won't pay. Black market rates he can still get about $40,000. (Note that $500USD is a year's salary in most of Pakistan.)

      If he doesn't have the ethics, or if he really wants the money and thinks being in Pakistan makes him outside Facebook's reach, he can still get about 80 years' salary ($40,000) on the black market.

      --
      //TODO: Think of witty sig statement
  2. Won't pay? by schneidafunk · · Score: 4, Insightful

    Seems to me that Mark is just pissed at being embarrassed, there really is no justification for not paying him. He submitted the bug to their security team first before exploiting it in a harmless way.

    --
    Some people die at 25 and aren't buried until 75. -Benjamin Franklin
    1. Re:Won't pay? by Nerdfest · · Score: 5, Insightful

      Perhaps they should pay him extra and thank him ... he could have done much, much, worse, and from a dummy account. He quite obviously wanted to help. Being a dick to people trying to help you is not a great way to encourage others.

    2. Re:Won't pay? by afidel · · Score: 5, Insightful

      Ding! Next time maybe he sells it on the black market instead of trying repeatedly to inform a company that obviously doesn't give a crap about security.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    3. Re:Won't pay? by IronOxen · · Score: 5, Insightful

      Actually, he also exposed a bug in the bug reporting system that prevents it from responding to and or acknowledging the exact type of vulnerabilities it was designed to find. It was obviously repeatable since the vulnerability was reported twice and was ignored both times. He should be paid for that one as well.

    4. Re:Won't pay? by Nemesisghost · · Score: 4, Insightful

      So you are saying they should pay him and thank him, because he committed a worse offence than he did?

      Yes. He tried to use their own method for reporting such problems. If he had just hacked it outright before telling them, then that'd be a different story. But when a company fails to use the information provided to them from their own communication channels, especially when it seems that they did so to screw someone out of a reward, then they deserve what they go & should still pay up.

    5. Re:Won't pay? by ArhcAngel · · Score: 4, Insightful

      Hacking into someone's account is a criminal offence.

      It was not hacking since Facebook said themselves it was not a bug. Therefore it must be a feature and taking advantage of a feature is not hacking. Now if someone were to take advantage of that feature on my account I would sue Facebook for providing said feature and point to their own forum as evidence.

      --
      "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
  3. That's a catch 22 by i+kan+reed · · Score: 4, Insightful

    Post what you know to their white-hate system: not reproducible with that information. No money.
    Reproduce it yourself: violating TOS. No money.

    1. Re:That's a catch 22 by Nerdfest · · Score: 5, Insightful

      Sell it on the open market, plenty of money.

  4. A great way to alienate the white-hat community. by fuzzytv · · Score: 5, Insightful

    Good work, Facebook! Kinda resembles what happened at GitHub ~18 months ago: http://www.zdnet.com/blog/security/how-github-handled-getting-hacked/10473

    If someone from Facebook reads this, and it's TL;DR; here are the next steps:

    #1 apologize to the guy, acknowledge he reported the issue twice
    #2 reinstate the account and pay him his reward
    #3 fix the damn issue

  5. Re:Guilty of being Palestinian by Chris+Mattern · · Score: 4, Insightful

    $0. They didn't give him money becuase a) it was a shit bug report and b) corporations are innately averse to giving out money to *anybody*, even if there's a policy saying they have to. Palestine has nothing to do with it.