Security Researcher Makes His Point By Hacking Into Zuckerberg's Facebook Page

← Back to Stories (view on slashdot.org)

Security Researcher Makes His Point By Hacking Into Zuckerberg's Facebook Page

Posted by samzenpus on Monday August 19, 2013 @02:15AM from the do-you-see-it-now? dept.

Eugriped3z writes "Whitehat Palestinian hacker Kahlil Shreateh submitted a bug report to Facebook's Whitehat bug reporting page not once, but twice. After it was ignored the first time and denied outright on the second occasion (which included links to an example as proof), he hacked Mark Zuckerberg's personal timeline, leaving both an explanation and an apology. From the article: 'In less than a minute, Shreateh's Facebook account was suspended and he was contacted by a Facebook security engineer requesting all the details of the exploit. 'Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it,' the engineer wrote in an email. 'We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue.' Facebook has a policy that it will pay a minimum $500 bounty for any security flaws that a hacker finds. However, the company has refused to pay Shreateh for discovering the vulnerability because his actions violated Facebook's Terms of Service.'"

173 of 266 comments (clear)

Min score:

Reason:

Sort:

Take it public by scubamage · 2013-08-19 02:17 · Score: 5, Insightful

Screw them, the onus is on them to take action when someone reports a bug. If you don't have enough information when there is a security problem, maybe, JUST MAYBE, you should follow up with the submitter. If I was the submitter I'd just publish the exploit and be done with it.
1. Re:Take it public by gl4ss · 2013-08-19 02:22 · Score: 4, Insightful
  
  They don't follow up on anything, I checked.
  It might be because they're so swamped or maybe it's that if they feel like it's not their bug then they don't do anything. Either way not very responsive.
  
  --
  world was created 5 seconds before this post as it is.
2. Re:Take it public by SQLGuru · 2013-08-19 02:37 · Score: 5, Insightful
  
  I read the guy's own post about it. He reported what he could do and not the steps required to exploit it. The Facebook team couldn't reproduce it as a bug (since there were no repro steps) and closed it as "not a bug".
  So really, the problem was one of communication. The guy has the problem a lot of my clients/users have in that they don't give enough detail to investigate the bug and Facebook didn't really follow what he was trying to say (since he just sent them links saying "look what I did"). I'm not saying he didn't legitimately find an exploit and probably deserves some bounty ($500 is nothing to a company like Facebook), but Facebook should probably have some guidelines for how to submit bugs.
  Aside - what any bug report needs:
  * What action were you taking?
  * What result did you observe?
  * What result did you expect?
  * Are there specific data values that always exhibit the symptom?
  * Are there specific data values that do not exhibit the symptom?
  * Reproduction steps (be as detailed as possible)
  * Any other useful details about the bug (error messages, screen shots, etc.)
3. Re:Take it public by Anonymous Coward · 2013-08-19 02:37 · Score: 5, Insightful
  
  I'm a QA analyst, and the quote: "We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue." is totally incorrect. An issue does not have to be reproducable in order to warrant some debugging and investigation.
4. Re:Take it public by Skapare · 2013-08-19 02:44 · Score: 5, Insightful
  
  If YOU could read the guy's post, then that would be the WRONG place for him to put the details about how to reproduce it. Facebook engineers should have contacted HIM, directly, by a secure means, to get those details. If Facebook engineers expect exploits to be posted in a public forum, then it is THEY who are doing this wrong.
  
  --
  now we need to go OSS in diesel cars
5. Re:Take it public by Anonymous Coward · 2013-08-19 02:48 · Score: 1, Insightful
  
  I'm a programmer and it really depends on the severity of the issue. Without steps to reproduce, finding the cause of an issue can sometimes be like finding a needle in a haystack. So, if it's not a big deal, it's not worth the effort.
6. Re:Take it public by Anonymous Coward · 2013-08-19 02:59 · Score: 1
  
  The guy posted his e-mail that he sent to facebook as "proof" that he tried to go about it the correct way. I think it was on his personal blog.
  Basically all he did is say "I posted to someone's timeline, this is a bug" and linked to the post he made. He didn't explain anything.
  The communication was secure between him and facebook.
7. Re:Take it public by Opportunist · 2013-08-19 03:11 · Score: 5, Insightful
  
  The severity of a problem determines whether it pays to investigate. An odd crash once a week with no repeatable underlying condition and no data loss doesn't warrant a through investigation.
  A severe security hole DOES! Almost invariably. Anything that allows an attacker to gain access in some way IS a reason for an investigation. The crucial point here is that undoing the damage is nearly impossible. With a crash, you can reenter the data and undo the damage. With a security breach, the data is out and there is NO way you can undo the damage, once data is out, it IS out.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
8. Re:Take it public by Opportunist · 2013-08-19 03:13 · Score: 3, Insightful
  
  'scuse me, but 500 bucks is peanuts for a 0day full-access security hole in FB. Tack a few 0s to that and we'll start talking.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
9. Re:Take it public by Anonymous Coward · 2013-08-19 03:21 · Score: 5, Insightful
  
  I'm a programmer too. You ALWAYS respond to issues, even if it's just, "Can't Reproduce: Not enough info in bug report."
10. Re:Take it public by GNious · 2013-08-19 03:28 · Score: 5, Insightful
  
  This is why you change the Bug Status from "New" to "Need More Information", and NOT to "Closed" or "Get Lost, Ass".
11. Re:Take it public by dgatwood · 2013-08-19 03:31 · Score: 4, Insightful
  
  No, not almost invariably. Invariably. You always follow up on security hole bug reports. Always. If you do not do this, you are incompetent. Assuming this security researcher gave them a reasonable amount of time (the summary here doesn't say), then this is once again a demonstration of Facebook talking "secure" but implementing the opposite, hyping their bounty program while refusing to pay out.
  For that matter, you should always follow up on non-security bug reports unless they're obvious garbage (e.g. porn site spam submitted to your bug reporting page by a bot). But security bugs? There's no excuse for not following up on those. Ever. EVER.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
12. Re:Take it public by Rob+the+Bold · 2013-08-19 03:32 · Score: 4, Insightful
  
  I'm a QA analyst, and the quote: "We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue." is totally incorrect. An issue does not have to be reproducable in order to warrant some debugging and investigation.
  Maybe they just don't have the technology to request additional info from the reporter. Maybe that's not part of the protocol there. If it were my job to handle bug reports and I didn't want to be hassled with work, I'd require a complete bug description, including exact description of systems used and all steps to reproduce reported in exactly the format I'm expecting. I'd also make sure my instructions and description of the report format were just a little vague, so the user would be forced to fill in the blanks, further reducing the odds that the report would be "valid". Maybe I'd require some info that most bug reporters would think irrelevant or inapplicable to most bugs -- you know, just to tempt them to skip that part. Then I could pretty much close every ticket with "can't reproduce" and screw around on facebook all day -- for quality assurance purposes, of course.
  
  --
  I am not a crackpot.
13. Re:Take it public by Gibgezr · 2013-08-19 03:37 · Score: 1
  
  Yes, but maybe they did that, and still couldn't reproduce it
  All he did was say "I can post to anyone's timeline", which is so vague as to be useless information. It gives them no hint as to what is broken, as the Timelines are probably integrated into huge swathes of the FB codebase. It truly was a needle in a haystack, and thus totally unverifiable. He needed to send the repro info.
14. Re:Take it public by DavidD_CA · 2013-08-19 03:43 · Score: 1
  
  I believe the person is referring to the hacker's own personal blog/story, not the post that the hacker made to Facebook -- which I presume is private.
  
  --
  -David
15. Re:Take it public by X0563511 · 2013-08-19 03:53 · Score: 4, Informative
  
  Hell you should at least respond to the reporter! "Can you provide more detail?" and then waiting for said detail is infinity better than ignoring or rejecting it.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
16. Re:Take it public by X0563511 · 2013-08-19 03:56 · Score: 2
  
  Not to say you're wrong, but would it really have been so hard for them to reply asking for details? Simply closing it without even a response is not appropriate, even if it is a useless report.
  As someone else said, if it was publicly viewable it was not an appropriate place to put the details. Perhaps he should have offered them (I have reproducibility details, please contact me) but really, the onus for that was on them and not him.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
17. Re:Take it public by jovius · 2013-08-19 04:03 · Score: 5, Informative
  
  Incidentally I was just reading about the issue... Market research numbers from last year.
  
  $5000 - $30,000 Adobe Reader
  $20,000 - $50,000 Mac OSX
  $30,000 - $60,000 Android
  $40,000 - $100,000 Flash or Java Browser Plug-Ins
  $50,000 - $100,000 Microsoft Word
  $60,000 - $120,000 Windows
  $60,000 - $150,000 Firefox or Safari
  $80,000 - $200,000 Chrome or IE
  $100,000 - $250,000 iOS
18. Re:Take it public by Anonymous Coward · 2013-08-19 04:18 · Score: 4, Informative
  
  Exactly. I once reported a bug which caused corruption of Linux configuration files. A simple change through an approved interface would eventually cause the keyboard to stop working because a configuration file was corrupted, making even rebooting a problem. I even got my company IT department involved to figure out what was going on. (The discovered the corrupted configuration file.) To recover it seemed the only path for me was to reinstall the OS. I'm not a Linux developer at all, just a victim of the bug, but I wanted to be helpful. I spent about 10 hours over several days attempting to reproduce the bug and eventually got it down to a series of steps with a 70% likelihood of causing the problem. I decided to report it through proper channels ... do A, B, and C and notice that this file is corrupted at this location. I figured I'd given someone enough information for a knowledgeable person to act on and was kind of proud of myself for going out of my way to help instead of just ranting about the horrible state of Linux.
  The result was a message from the development team asking me to take the bug and work on a fix. When I responded that I wasn't in any position to do that I got a nasty "won't fix" status on the bug an a sarcastic remark that "that's the way the community works. If you want a bug fixed then you have to be willing to work on it yourself."
  l figured the time I had put in to reproduce the problem and report it was my contribution. I don't know if it ever got fixed. I don't care. /rant
  TL:DR When someone reports a bug and gives even the slightest details of how to reproduce it or indicates the consequences of the bug are serious, don't just slap him in the face and tell him to get lost. If you need more information then ask for it.
19. Re:Take it public by freezin+fat+guy · 2013-08-19 04:20 · Score: 4, Insightful
  
  They don't follow up on anything, I checked.
  Nobody enjoys following up on things in which they have absolutely no interest.
  Facebook have proven exceedingly reliable at not caring about their user's security or privacy.
  Having living proof of a hack is especially annoying because it actually forces them to respond and improve user security. Fankly, I'm surprised they are pressing charges.
20. Re:Take it public by tlhIngan · 2013-08-19 04:21 · Score: 2
  
  No, not almost invariably. Invariably. You always follow up on security hole bug reports. Always. If you do not do this, you are incompetent. Assuming this security researcher gave them a reasonable amount of time (the summary here doesn't say), then this is once again a demonstration of Facebook talking "secure" but implementing the opposite, hyping their bounty program while refusing to pay out.
  For that matter, you should always follow up on non-security bug reports unless they're obvious garbage (e.g. porn site spam submitted to your bug reporting page by a bot). But security bugs? There's no excuse for not following up on those. Ever. EVER.
  Except that most are bogus. Yes, bogus.
  Imagine you're Facebook and you're getting piles of "I can post on someone else's timeline!" Well, you can be 99.999% of those cases are probably one of user error - as in, the user reporting it could do it because the permissions said so.
  Likewise, Microsoft probably receives a bunch of equally annoying reports of "If I do X, I could do Y and HAXXOR!". Except X requires admin priviledges, in which case you're doing Y as admin and yes, that's expected behavior when you're admin. In fact, instead of doing Y, if you can do X, just do HAXXOR and you're done and save yourself the effort. (A surprisingly large number of reports involve either getting admin as a prerequisite or having it already).
  And unfortunately, when you get thousands of such reports an hour by "security researchers", you need something to do first round culling of the bogus from the possibly requiring investigation.
21. Re:Take it public by freezin+fat+guy · 2013-08-19 04:23 · Score: 1
  
  Oops, should read "I'm surprised they AREN'T pressing charges"
  Few things must infuriate Zuckerburg and cohorts more than addressing the security or privacy of their users.
22. Re:Take it public by fzammett · 2013-08-19 04:24 · Score: 3, Insightful
  
  Exactly, and I'm surprised people are arguing anything but this. Even for a report that you completely believe to be bogus, what time does it take to reply "hey, can I get more info?" Best case, it WAS bogus, and you never hear from the person again. You "wasted" all of 30 seconds. For a company like Facebook, that should be a trivial investment when the downside of an ACTUAL security problem is so bad. Assuming the report that they didn't reply in any way is accurate, then THIS is where Facebook fell down worst, and it's what is inexcusable.
  
  --
  If a pion (n-) collides with a proton in the woods & noone is there to hear it, does lamdba decay into the source pa
23. Re:Take it public by thaylin · 2013-08-19 04:36 · Score: 1
  
  So you would fire someone because they were hypothesizing that someone may not want to do work, and that if they did not want to do work they would be vague about setting up the documentation?
  He did not claim he did not want to do the work....
  
  --
  When you cant win, ad hominem.
24. Re:Take it public by dgatwood · 2013-08-19 04:37 · Score: 5, Interesting
  
  Basically all he did is say "I posted to someone's timeline, this is a bug" and linked to the post he made. He didn't explain anything.
  Bzzt. If Facebook's logging weren't broken, that should be all they need. The existence of the post itself, having been posted to a wall where he should not have been allowed to post, should have been enough to determine trivially that the bug was real. Further, the post's database record should contain the posting IP address and the ID of the server that handled the request. From there, they should have been able to look at the server's request logs to determine precisely how the attack happened (assuming the researcher was using a structurally valid URL in the request, as opposed to exploiting a null character handling bug in the web server itself).
  But even if they looked at the logs and couldn't figure out what happened, IMO, it is still completely unacceptable to just close a bug like this. It's one of those bugs that, if real, is borderline catastrophic in scope. You do not close a bug like that as "cannot reproduce". You contact the originator and say, "Hey, can we get more information about this? We need to try to reproduce the problem."
  It's sad that it takes somebody posting on the CEO's Facebook page to get the attention of Facebook's security staff. This means one of two things: they are grossly mismanaged or are woefully understaffed—probably the latter, IMO. Either way, it tells me that Facebook does not take security seriously enough. If bug screeners do not have time to properly follow up on bugs that are this severe, then they need to double or even triple the number of screeners.
  Also, this brings into serious question the way that Facebook screens bugs in the first place. Where I work, a bug like this would have been tagged as a security bug the moment it came in. This causes additional people to review the bug, significantly reducing the likelihood of a serious mistake. Closing the bug without asking for more information strongly suggests that a single, hopelessly overworked individual made a mistake, and that the company as a whole failed to have proper processes in place to ensure additional review that would otherwise have caught that mistake quickly and followed up with the original reporter. Not good. Not good at all.
  And as long as I'm criticizing Facebook's security practices, IMO, a service like this should have several publicly visible, official security testing accounts for precisely this purpose, with various restrictions on various posts, etc. so that security researchers can properly hammer on their site's security. For example, there should be an official test account that looks an awful lot like Mark Zuckerberg's account. If a researcher is able to post on the wall of that account, there can be no doubt whatsoever about the fact that a bug exists. Likewise, there should be more complex accounts with various security settings, complete with a list of that content and the expected behavior (e.g. you should not be able to read the barcode image entitled "nude_selfie_for_my_boyfriend.jpg").
  In short, I suspect there's plenty of blame to go around for this error. What matters is not who gets blamed, but rather how Facebook fixes their processes to ensure that such mistakes do not get made in the future. And I would emphasize that this does not involve firing anyone. People make mistakes. That's why processes are supposed to be designed to mitigate those mistakes. A company like Facebook is big enough that they should know this. If they don't, then perhaps this object lesson will get their attention and cause them to change their ways. If not, it's time to run, not walk, to a competing service.
  Either way, what the researcher did was IMO wholly appropriate. He initially performed the smallest attack that could potentially have proven that there was a flaw. When the first report was casually dismissed, he then escalated that attack,
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
25. Re:Take it public by Minwee · 2013-08-19 04:42 · Score: 1
  
  Maybe they just don't have the technology to request additional info from the reporter.
  That makes sense. After all, why would you expect a company like Facebook to have any way of communicating with their own users?
26. Re:Take it public by dgatwood · 2013-08-19 04:50 · Score: 4, Interesting
  
  Imagine you're Facebook and you're getting piles of "I can post on someone else's timeline!" Well, you can be 99.999% of those cases are probably one of user error - as in, the user reporting it could do it because the permissions said so.
  Even if you're right, and 99% are bogus, there's no excuse for having a process where you choose "Not a bug" instead of "Need more information" with a request for steps to reproduce. That should be drilled into employees as the only valid response until they are relatively certain that the problem was user error. This culling was premature; you must assume that the bug *might* need investigation until it is clear that it does not. Anything less is negligence.
  But the bigger problem is that there's no good way for Facebook to be certain that it wasn't user error unless the account is known (by Facebook) to have settings that should have prevented posting. That's what makes the CEO's page an obvious choice. IMO, there's also no excuse for a company the size of Facebook to not provide an account that is preconfigured to not allow posts so that if a researcher successfully posts on it, the subsequent security bug report has automatic credibility (and, hopefully, additional logging by Facebook's servers, immediate reaction from their security response team, etc.). Perhaps call the test account Zark Muckerberg.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
27. Re:Take it public by Frobnicator · 2013-08-19 04:57 · Score: 4, Insightful
  
  Assuming the report that they didn't reply in any way is accurate, then THIS is where Facebook fell down worst, and it's what is inexcusable.
  
  Seems like Facebook employees forgot the reason they pay for the bounty program in the first place. It is to provide an incentive to report it to the company rather than reporting it to the black market for exploits.
  A few seconds on Google will show the going rates of black market zero-day exploits for various services. Facebook was offering $500, but now won't pay. Black market rates he can still get about $40,000. (Note that $500USD is a year's salary in most of Pakistan.)
  If he doesn't have the ethics, or if he really wants the money and thinks being in Pakistan makes him outside Facebook's reach, he can still get about 80 years' salary ($40,000) on the black market.
  
  --
  //TODO: Think of witty sig statement
28. Re:Take it public by ShanghaiBill · 2013-08-19 05:11 · Score: 1
  
  So, if it's not a big deal, it's not worth the effort.
  If there is not enough info to reproduce the bug, then they should email the submitter and ask for more info. They should never just ignore the report.
  Relevant xkcd
29. Re:Take it public by Krojack · 2013-08-19 05:15 · Score: 2
  
  I'm a programmer and it really depends on the severity of the issue. Without steps to reproduce, finding the cause of an issue can sometimes be like finding a needle in a haystack. So, if it's not a big deal, it's not worth the effort.
  Oh hell yeah. So true.
  I had a client keep reporting about a problem with their web page. I along with no one in the office could reproduce it. Seeing as the client was in town, I went to their office and was able to reproduce the problem. Turns out it was an extension they had installed. I told them to disable all extensions beforehand and they said they did. Lets say they ended up paying a hefty service fee. They tried to dispute it but failed.
30. Re:Take it public by jones_supa · 2013-08-19 05:15 · Score: 1
  
  If I were your supervisor and I heard you say...
  
  If it were my job to handle bug reports and I didn't want to be hassled with work...
  ...I assure you, it would no longer be your job.
  Read his post fully. He was exactly describing how someone would handle bug reports badly.
31. Re:Take it public by liamevo · 2013-08-19 05:27 · Score: 1
  
  Pakistan != Palestine
32. Re:Take it public by dgatwood · 2013-08-19 05:38 · Score: 1
  
  This bug wasn't a case of pretending to be somebody else, I don't think, but rather, a case of being able to post on a timeline where posting should not have been allowed—a permissions bug. But still, yes, they dropped the ball... into the Grand Canyon.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
33. Re:Take it public by Anonymous Coward · 2013-08-19 05:45 · Score: 1
  
  It's not just Facebook. Have you tried contacting Netflix or Google? It's nearly impossible, and they never respond. Even Twitter went downhill quickly in the user-responsiveness category. It's pretty amazing how unresponsive most major internet-based companies are; the only good ones I can think of are retailers or ISPs.
34. Re:Take it public by dgatwood · 2013-08-19 05:54 · Score: 2
  
  They simply do not have the time or manpower to respond to every last report of "I can haxxor" or "I was haxxored and they keep doing it".
  The latter is almost invariably a problem with the user's computer, and even if it isn't, there's no possibility that the user has enough information to be helpful. However, Facebook should have the ability to flag what appears to be your own post when reporting a problem, and Facebook should at least take the time to determine whether the post occurred through password compromise, from a third-party FB app, or appears to have been actually posted by that user from a computer that had a valid cookie. Then, the system should send an automated message to the user indicating how he/she can protect him/herself from that attack in the future. This process could be entirely automated, giving the user the ability to follow up only in the case of a third-party FB app having made the post (which is likely a real security bug, or at best, an app developer violating the developer TOS).
  
  Also, pay attention to the section which states that you are supposed to use a TEST ACCOUNT to reproduce the problem, not hack the Big Z's timeline.
  Which he did, and they dismissed his bug report, so he took the only step that he thought could prove, in FB's eyes, that the flaw was legitimate.
  What I find particularly interesting is how many ACs are defending Facebook in this. It almost makes me wonder if there's an astroturfing campaign going on, either officially or unofficially, by employees of either FB or a third-party firm hired to defend them. Just saying.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
35. Re:Take it public by Existential+Wombat · 2013-08-19 06:13 · Score: 1
  
  Either way, what the researcher did was IMO wholly appropriate.
  
  Yes but he's probably going to jail for it.
36. Re:Take it public by HiThere · 2013-08-19 06:17 · Score: 2
  
  Sorry, but that's wrong. You are ignoring scalability.
  OTOH, they should have responded by setting up an account with good logging, etc., and asked him to demonstrate by posting to it's timeline. And THAT should give them enough information.
  As a second thought, that account should be a template that they can easily and quickly run up "as needed". Because I'm sure they get many such reports, and they probably always respond to them in the same way.
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
37. Re:Take it public by HiThere · 2013-08-19 06:21 · Score: 1
  
  You wonder? I was taking it for granted that Facebook was trying to suppress the story with an astroturfing campaign.
  P.S.: While that action is thoroughly immoral, many companies do the same thing. Which is why when I saw the "anonymous coward" posts popping up, I just presumed an astroturfing campaing to suppress the report (or, in this case, defend their [in]actions).
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
38. Re:Take it public by skine · 2013-08-19 07:31 · Score: 1
  
  To be fair, the summary does say that $500 is the minimum.
  According to the Forbes article posted by jovius, Facebook's average payout is a few thousand.
39. Re:Take it public by Muros · 2013-08-19 07:33 · Score: 1
  
  Pakistan != Palestine
  Palestine GDP per capita (From the always correct and unfailingly infallible wikipedia, but I'll use it anyway)
  
  $1924 (West Bank)
  $876 (Gaza)
  
  We're not talking orders of magnitude in difference.
40. Re:Take it public by Stan92057 · 2013-08-19 07:34 · Score: 1
  
  Yes it does, now if everyone went by your logic Cough everyone and there cousins will submit junk just to waste FB time. Dont you people think even a little?
  
  --
  Jack of all trades,master of none
41. Re:Take it public by Stan92057 · 2013-08-19 07:37 · Score: 1
  
  Ya blame FB for people not reading the rules. Hes smart enough to figure out a flaw but stupid enough not to read the submitting rules ya......
  
  --
  Jack of all trades,master of none
42. Re:Take it public by dgatwood · 2013-08-19 08:57 · Score: 1
  
  Sorry, but that's wrong. You are ignoring scalability.
  In what way?
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
43. Re:Take it public by Dreamportal · 2013-08-19 09:13 · Score: 1
  
  Saying that Facebook is just stating the obvious. They hire kids straight out of college, and expect quality software from them. These guys don't know how to implement anything remotely securely, and when someone calls them out, they ban them. Typical reactionary BS, if you ask me. They wouldn't last a day in the environment I work in (a.k.a. the real world). And yes, he should just make it public. What can they do that they haven't already done?
44. Re:Take it public by SeaFox · 2013-08-19 09:45 · Score: 1
  
  It's not just Facebook. Have you tried contacting Netflix or Google? It's nearly impossible, and they never respond. Even Twitter went downhill quickly in the user-responsiveness category. It's pretty amazing how unresponsive most major internet-based companies are; the only good ones I can think of are retailers or ISPs.
  So the businesses where people are paying the company for a product or service?
  I wonder if there's a correlation here...
45. Re:Take it public by lgw · 2013-08-19 10:33 · Score: 1
  
  Facebook has pretty good analytics. They should certainly be able to review the logs associated with the post and check the submitters claims. After all - they put hadoop and such on the map.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
46. Re:Take it public by rHBa · 2013-08-19 10:45 · Score: 1
  
  Would it be white, grey or black hat hacking to gain access to the bug reporting system and escalated the bug report so that someone actually actioned it?
  
  After all, if you can get Zuckerberg access to Facebook you could probably fix a few things for them...
47. Re:Take it public by ScoLgo · 2013-08-19 10:59 · Score: 1
  
  About eight months ago, I contacted netflix when someone 'stole' my credit card info and opened a new account with them. Did the online chat thing and their rep had it all fixed (at the netflix end of things at least) within 15 minutes. It was painless and easy.
  No, I don't work for netflix and am not affiliated in any way. There are certainly things about them that I don't like but I can't complain about their customer service.
  
  --
  "Michael, I did nothing. I did absolutely nothing - and it was everything that I thought it could be."
48. Re:Take it public by georgewad · 2013-08-19 12:02 · Score: 1
  
  Do you work for Dell?
  
  --
  Karma: It's not just a good idea. It's the law.
49. Re:Take it public by Myopic · 2013-08-19 12:02 · Score: 1
  
  By secure means? Maybe they could message him on Facebook or something.
50. Re:Take it public by Kalriath · 2013-08-19 12:05 · Score: 1
  
  Giving Google money doesn't make their customer support any faster. Trust me on that.
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
51. Re:Take it public by dbIII · 2013-08-19 12:45 · Score: 1
  
  Either way I doubt even Facebook could touch somebody there in court.
52. Re:Take it public by mikeiver1 · 2013-08-19 12:50 · Score: 1
  
  If they say they pay $500.00 for a bug and then refuse to acknowledge and pay you for a righteous bug you would just walk away? I think not. Fuck Facebook. They got what they deserve and if they refused to pay me and also locked my account to boot I would make security exploits of their system a side job and put each one in the wild without reporting it to them so as to cause as much damage and trouble to them. I don't have a facebook account. Never have and never will since I think the whole FB thing is for assholes. That and if they are giving you something for free than it isn't free and you are the product. Boycott facebook!
53. Re:Take it public by HiThere · 2013-08-19 13:09 · Score: 1
  
  Yeah, but if they did detailed logging of every access they wouldn't be able to do that. Scalability. You can store detailed logging of selected events easily. And detailed means you log things like the number of milliseconds between different messages. That's not usually important, but sometimes it is. But you can't do that kind of thing on a large scale.
  OTOH, I read later that they *do* have test pages. So perhaps they should have just sent him to one of them, and had him show them. I *trust* that they have *those* pages set to do detailed logging.
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
54. Re:Take it public by scubamage · 2013-08-19 13:48 · Score: 1
  
  I think that's pretty solidly grey hat. You're technically breaking the law by accessing a system you're not supposed to and without authorization, but you're doing it entirely for benevolent reasons directly benefitting the party whose security you're compromising.
55. Re:Take it public by mysidia · 2013-08-19 13:52 · Score: 1
  
  I'm a programmer too. You ALWAYS respond to issues, even if it's just, "Can't Reproduce: Not enough info in bug report."
  Status: Open -> Closed: Wontfix
  Resolution: -> Invalid
  Notes: Can post on random other users' timelines, contrary to privacy settings -- not a bug, it's a feature.
56. Re:Take it public by mysidia · 2013-08-19 14:02 · Score: 1
  
  that "that's the way the community works. If you want a bug fixed then you have to be willing to work on it yourself."
  Any developer who is worth their salt, would tell you that's bullshit.
  Software defects are not only the concern of the person who encounters them. The project is doomed to failure if the developers won't take responsibility for their work and going the extra mile to ensure its quality.
  In a professional setting, the developer who responded to a user, IT admin's bug report or another programmer's bug report like that would be fired.
57. Re:Take it public by vidnet · 2013-08-19 14:06 · Score: 1
  
  If you'd read TFA, you'd have seen the bug reports.
  The first was a proof of concept that just didn't work.
  The second was one was an explanation that was very difficult to understand, and was interpretted as a feature working as intended.
  The reason why they won't pay now is obviously that they don't want all future exploit reports to come in the form of posts on Zuckerberg's timeline. People would love to do that with impunity, and it would not look good for Facebook.
58. Re:Take it public by mysidia · 2013-08-19 14:10 · Score: 1
  
  Maybe they just don't have the technology to request additional info from the reporter. Maybe that's not part of the protocol there. If it were my job to handle bug reports and I didn't want to be hassled with work, I'd require a complete bug description, including exact description of systems used and all steps to reproduce reported in exactly the format I'm expecting.
  This is why good companies implement some form of separation of duties when deciding how employees will execute their job.
  The person who specifies the conditions under which a bug report can be rejected, should not be the same as the person responsible for handling the reports, OR at least someone else with the project's interests and customer's interests at heart above and beyond the developers' desire to be as "efficient", "lazy", or have as little work as possible --- should be involved in the process of setting the rules and approving them, and on occassion -- reviewing the performance and compliance of the bug handlers.
59. Re:Take it public by mysidia · 2013-08-19 14:26 · Score: 1
  
  'scuse me, but 500 bucks is peanuts for a 0day full-access security hole in FB. Tack a few 0s to that and we'll start talking.
  Posting a message to someone else's timeline isn't exactly a 0day full-access hole.
  It's more like a potentially spam/malicious link-facilitating bug.
60. Re:Take it public by dgatwood · 2013-08-19 15:13 · Score: 1
  
  Until a few hundred celebs' walls get spammed and they declare en masse that they're all moving to Google+, followed shortly thereafter by a fan exodus. Facebook might not take security seriously enough at times, but even they aren't clueless enough to think that they can ignore it entirely.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
61. Re:Take it public by lgw · 2013-08-20 04:57 · Score: 1
  
  But you can't do that kind of thing on a large scale.
  Why, to do that you'd have to dedicate tens of thousands of machines just to log collection and analysis, invent a whole new approach to databases that scales out that much, and a whole ecosystem of applications around it! Yeah, Facebook did all that, long ago. Remember what their real product is: the analytics are more important than the site itself.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
62. Re:Take it public by minstrelmike · 2013-08-20 05:13 · Score: 1
  
  If I were your supervisor and I heard you say...
  
  If it were my job to handle bug reports and I didn't want to be hassled with work...
  ...I assure you, it would no longer be your job.
  That depends on _your_ supervisor dud, I mean dude.
  What if he told you any $500 bounty payout came out of your department's budget?
  I am curious to know whether it is due to laziness or greed and at what level in the organization the laziness/greed occurs.
63. Re:Take it public by minstrelmike · 2013-08-20 05:17 · Score: 1
  
  You wonder? I was taking it for granted that Facebook was trying to suppress the story with an astroturfing campaign.
  Ditto. Wish I had mod points.
64. Re:Take it public by minstrelmike · 2013-08-20 05:18 · Score: 1
  
  Facebook is being cheap. Pay the man and be thankful!
  or hire him.
65. Re:Take it public by ThomasMcA · 2013-08-20 05:59 · Score: 1
  
  If you put that much effort into doing your job instead of avoiding it, you might actually become a decent QA analyst.
66. Re:Take it public by bdwebb · 2013-08-20 07:19 · Score: 1
  
  Maybe they just don't have the technology to request additional info from the reporter.
  The largest social media site on teh internets does not have the technology to request additional information? I'm assuming here (and I don't think this is too much of an assumption) that they are using a pre-existing reporting or ticketing platform and every single software suite released to perform this function since the early 90s has had this type of functionality. Even if they rolled their own and used inspiration from other platforms, there is no way this feature would have been left out.
  
  Taking this even FURTHER...oh wait...we're talking about incompetence on the technical staff at Facebook, right? Totally plausible.
67. Re:Take it public by bdwebb · 2013-08-20 07:21 · Score: 1
  
  High five for reason. Where are my mod points when I need them?
68. Re:Take it public by tom+arnall · 2013-08-20 18:16 · Score: 1
  
  sounds like they don't want to keep their word on the bounty. FB smells of suits, increasingly and at an accelerating rate.
Won't pay? by schneidafunk · 2013-08-19 02:19 · Score: 4, Insightful

Seems to me that Mark is just pissed at being embarrassed, there really is no justification for not paying him. He submitted the bug to their security team first before exploiting it in a harmless way.

--
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
1. Re:Won't pay? by vswee · 2013-08-19 02:21 · Score: 1, Offtopic
  
  Agreed. Also, hackers are not really the people you'd want to shortchange. They're a vengeful bunch I've heard.
2. Re:Won't pay? by Nerdfest · 2013-08-19 02:22 · Score: 5, Insightful
  
  Perhaps they should pay him extra and thank him ... he could have done much, much, worse, and from a dummy account. He quite obviously wanted to help. Being a dick to people trying to help you is not a great way to encourage others.
3. Re:Won't pay? by schneidafunk · 2013-08-19 02:24 · Score: 3, Insightful
  
  Exactly. You raise a good point, he used his personal account, which ended up getting suspended.
  
  --
  Some people die at 25 and aren't buried until 75. -Benjamin Franklin
4. Re:Won't pay? by afidel · 2013-08-19 02:24 · Score: 5, Insightful
  
  Ding! Next time maybe he sells it on the black market instead of trying repeatedly to inform a company that obviously doesn't give a crap about security.
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
5. Re:Won't pay? by Anonymous Coward · 2013-08-19 02:25 · Score: 1
  
  Lumping people together loosely by profession and then giving them generalized personality traits, are we? How ignorant.
6. Re:Won't pay? by IronOxen · 2013-08-19 02:33 · Score: 5, Insightful
  
  Actually, he also exposed a bug in the bug reporting system that prevents it from responding to and or acknowledging the exact type of vulnerabilities it was designed to find. It was obviously repeatable since the vulnerability was reported twice and was ignored both times. He should be paid for that one as well.
7. Re:Won't pay? by poetmatt · 2013-08-19 02:38 · Score: 1
  
  this is facebook. they're not in the business of security or privacy. what do you expect?
8. Re:Won't pay? by Nemesisghost · 2013-08-19 02:40 · Score: 4, Insightful
  
  So you are saying they should pay him and thank him, because he committed a worse offence than he did?
  Yes. He tried to use their own method for reporting such problems. If he had just hacked it outright before telling them, then that'd be a different story. But when a company fails to use the information provided to them from their own communication channels, especially when it seems that they did so to screw someone out of a reward, then they deserve what they go & should still pay up.
9. Re:Won't pay? by Anonymous Coward · 2013-08-19 02:40 · Score: 1
  
  Hacking into someone's account is a criminal offence.
  In that case, as Facebook are offing a bounty on security flaws, they are encouraging people to break the law.
10. Re:Won't pay? by Chris+Mattern · 2013-08-19 02:46 · Score: 3, Interesting
  
  No they aren't, because *finding* a security flaw is not the same thing as illegally *exploiting* a security flaw. If you need a proof of concept, you can hack your own account.
11. Re:Won't pay? by CanHasDIY · 2013-08-19 02:53 · Score: 1
  
  Ding! Next time maybe he sells it on the black market instead of trying repeatedly to inform a company that obviously doesn't give a crap about security.
  Exactly - fuck me once, shame on you, fuck me twice...
  
  --
  An enigma, wrapped in a riddle, shrouded in bacon and cheese
12. Re:Won't pay? by Redmancometh · 2013-08-19 02:53 · Score: 2
  
  Okay better put: when hackers seek vengeance they have the means to wreak havoc. An a huge number of them revel in the opportunity.
13. Re:Won't pay? by ArhcAngel · 2013-08-19 02:54 · Score: 4, Insightful
  
  Hacking into someone's account is a criminal offence.
  It was not hacking since Facebook said themselves it was not a bug. Therefore it must be a feature and taking advantage of a feature is not hacking. Now if someone were to take advantage of that feature on my account I would sue Facebook for providing said feature and point to their own forum as evidence.
  
  --
  "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
14. Re:Won't pay? by CanHasDIY · 2013-08-19 02:55 · Score: 1
  
  No they aren't, because *finding* a security flaw is not the same thing as illegally *exploiting* a security flaw. If you need a proof of concept, you can hack your own account.
  Which is still illegal (because even though it's "your account," you still have to run the exploit on someone else's network), and still a violation of the ToS.
  
  --
  An enigma, wrapped in a riddle, shrouded in bacon and cheese
15. Re:Won't pay? by Mike · 2013-08-19 03:08 · Score: 1
  
  Hacking into someone's account is a criminal offence.
  Well, therein lies [a] problem. Any such law is completely bogus in the first place.
16. Re:Won't pay? by Nidi62 · 2013-08-19 03:14 · Score: 2
  
  How is a Palestinian going to get arrested by Pakistani authorities?
  
  --
  The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
17. Re:Won't pay? by Opportunist · 2013-08-19 03:15 · Score: 2
  
  Vengeful? Oh please. But next time he might sell it to someone else.
  There's no shortage of parties interested in 0day exploits for FB...
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
18. Re:Won't pay? by Opportunist · 2013-08-19 03:20 · Score: 2
  
  *gasp*
  That they are interested in protecting their assets! Imagine someone could come and siphon away all the info without paying them!
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
19. Re:Won't pay? by LordLimecat · 2013-08-19 03:21 · Score: 1
  
  We're saying that not paying him has made it so that hackers will simply not bother next time, and will instead sell the exploit on the black market.
20. Re:Won't pay? by parkinglot777 · 2013-08-19 03:53 · Score: 2
  
  Well, you should not overlook that there may be other factors involved in these parties...
  
  The bug reporter
  1)Did he describe how to reproduce the bug step-by-step?
  2)Did he describe the set up to reproduce the bug in detail?
  3)How understandable was his email to native English speakers?
  
  The FB team
  1)How many similar bug reports do they get each day?
  2)What the procedure do they use in bug investigation?
  3)How much concern they have to each bug report?
  
  1st email:
  the bug allow facebook users to share links to other facebook users , i tested it on sarah.goodin wall and i got success post
  http:
  
  2nd email:
  of course you may cant see the link because sarah's timeline friends posts shares only with her friends , you need to be a friend of her to see that post or you can use your own authority .
  this is a picture shows that post :
  Now, your reply assumes that the bug reporter clearly explains how to reproduce the bug. What I see from his blog post that the first email is only the "result image" of what he did which cannot be a proof! Why? You should be able to answer that if you know any photo editor software. The second email is not much better than the first. It added a little more preparation to reproduce the bug, but it is still too vague. This is a type of "bug report" from an end user who does NOT understand what "step-by-step" is.
  Being said that, you also assume that the FB team has nothing to do at all. There is always a reason for whatever one does; however, the reason may or may not be acceptable to the general public. At least, you need to put yourself into other's shoes in order to understand it better. The work load of validating bug reports could be a lot more than you think. When monetary system is involved, there are always some people who attempt to exploit the system. In this case, I guarantee that there are plenty of fake bug reports sending to their team. When you have seen a lot of fake bug reports and you need to invalidate them, you would likely be sceptical toward any bug report at first. If there is no step-by-step procedure in place, you may apply the simplest way to deal with -- in this case attempt to post something on someone else's time line that is not in your friend list. Then the second report said you have to be a friend of the person. You may assume that it is not a bug because the person is in your "friend" list, and that you have permission to post on their timeline (assume that the person permission is set to allow friends to post).
  Anyhow, I do blame both sides. I blame the reporter because he gave an incomplete bug report which makes sense to him but not others at the time. Then he escalates his action and steps over the line. I blame the FB team because they did not scrutinize on every single bug report but rather make an assumption in order to do less work. If I were to judge this, I would not reward the reporter still because of his second action (steps over the line). I hope that the reporter loses his attitude and learn from this situation that he should be more professional in the field. The mistake he did (now) is not serious but rather excellent experience for him to be more clear and careful in the future.
  PS: For those who said why he did not use a dummy account to do the test, I half agree. Seeing his blog, it seems that he does not know how to disguise his connection on the Internet, using a dummy account does not help...
21. Re:Won't pay? by asmkm22 · 2013-08-19 04:55 · Score: 1
  
  Apparently, he should have just sold it on the black market since Facebook is trying to weasel out of paying over a technicality, no pun intended.
22. Re:Won't pay? by coughfeeman · 2013-08-19 05:24 · Score: 1
  
  'Cause the Black Market be all like, "If only we could post on anyone's FB timeline! Combined with the 4 question marks we've gathered, we can have all the Bitcoins!"
23. Re:Won't pay? by afidel · 2013-08-19 05:29 · Score: 2
  
  Considering that Instagram followers and Likes are worth more than credit card numbers on the black market I'd assume the ability to manipulate timelines would find some significant value.
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
24. Re:Won't pay? by t0y · 2013-08-19 06:39 · Score: 2
  
  He linked to the post in goodin's wall that shouldn't exist. If a server is on fire you don't need steps to reproduce to prove that something's wrong.
25. Re:Won't pay? by flabordec · 2013-08-19 09:32 · Score: 1
  
  Your analogy is completely wrong: it would be correct if my house had a very fancy security system, there is a note on the front that says "I will give $500 to anyone who detects a problem with my security", you rang to tell me you found one vulnerability but I decided to ignore you because I don't want to pay you and then you broke into my house and left a polite note apologizing for it but mentioning that you do, in fact, have a way to break the system. Still illegal, but if there is a jerk in the story it is Facebook for not ignoring the bug reports and not paying bounties.
  
  --
  "I see undead people" Warcraft III - Necromancer
26. Re:Won't pay? by Myopic · 2013-08-19 12:04 · Score: 1
  
  What would be your legal claim in your lawsuit?
27. Re:Won't pay? by mysidia · 2013-08-19 14:33 · Score: 1
  
  The only ethical thing to do if you discover a security vulnerability is to inform the owner of the system. Any other action (reveling the vulnerability to the public, using the vulnerability for your own profit, using the vulnerability to "make a point", etc.) is at best a jerk move and at worst illegal.
  Facebook not paying the bounty is a jerk move. Personally, I think the next step in response to that, is to try to shame Facebook into treating people more responsibly --- one way of doing so would be to leverage the vulnerability using any legal method that would embarrass Facebook, or show them that their behavior has unintended consequences.
28. Re:Won't pay? by mysidia · 2013-08-19 14:37 · Score: 1
  
  Your analogy is completely wrong: it would be correct if my house had a very fancy security system, there is a note on the front that says "I will give $500 to anyone who detects a problem with my security", you rang to tell me you found one vulnerability but I decided to ignore you because I don't want to pay you and then you broke into my house and left a polite note apologizing for it but mentioning that you do
  Naw... it's more like you have a Hotel that offers a bounty if you can find a bug in their electronic lock system securing all the hotel rooms.
  You report a bug, and they ignore you, so you take it upon yourself to find one of the Hotel owner's rooms protected by the electronic locking system... you defeat it, and you use the defeat just to slip a little sign in the window, where the whole world can see it, and run off.....
29. Re:Won't pay? by mysidia · 2013-08-19 14:45 · Score: 1
  
  Well, therein lies [a] problem. Any such law is completely bogus in the first place.
  Hacking into an account is not. Gaining access to a computer system without authorization, or utilizing access in excess of your authorized privilege might be.
  Most hacking crimes would be Denial of Service, Wire Fraud, or Theft of service.
  On the other hand, if you find some person's private intimate details buried in the trash, by some company's employee that carelessly threw out a printout, Name, Address, Social security, etc -- and you just gather that information, store it in a database, to leverage for marketing purposes --- have you committed a crime? Probably not.
30. Re:Won't pay? by parkinglot777 · 2013-08-19 23:34 · Score: 1
  
  And that's why I blame FB team to not scrutinize on bug report. Have you ever been in an environment that you and a few other people have to deal with hundreds of hundreds of new vague bug report every day for months, and that you are one of them to verify and fix them? I am not saying that you could use that as an excuse not to be careful, but I am saying that it leads to what FB team did. It may or may not be acceptable depends on who is looking at the issue.
31. Re:Won't pay? by Redmancometh · 2013-08-26 20:47 · Score: 1
  
  How can you nitpick that with no sense of scale? You have no idea what a "huge number" means in the context of my statement.
  Way to be a douche just to be a douche.
I'm Amazed... by DexterIsADog · 2013-08-19 02:22 · Score: 2, Funny

...people are still using Facebook?
1. Re:I'm Amazed... by Anonymous Coward · 2013-08-19 02:26 · Score: 1
  
  Hurr durr. It's easy to be amazed by that if you don't speak to anyone outside of your geek echo chamber.
2. Re:I'm Amazed... by Anonymous Coward · 2013-08-19 02:33 · Score: 1
  
  The younger generation is moving away from it...primarily because of parents being on there. Twitter and all other manner of anonymous rapid publishing make Facebook seem unused by comparison.
3. Re:I'm Amazed... by Opportunist · 2013-08-19 03:21 · Score: 1
  
  Yup. Not only that, but you can see how the "geek" community (and those that want to be seen as such) are moving away for its "commercial" reek. Since every company and their dog need to muscle in, FB is about as hip as disco.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
refuse to pay? by Anonymous Coward · 2013-08-19 02:22 · Score: 1

I would think that $500 is pretty cheap.. Why piss off everybody who might help you?
1. Re:refuse to pay? by idontgno · 2013-08-19 03:03 · Score: 1
  
  Why piss off everybody who might help you?
  Why not crush everybody who might embarrass you?
  Or, as another sharp analyst put it:
  
  Upon this a question arises: whether it be better to be loved than feared or feared than loved? It may be answered that one should wish to be both, but, because it is difficult to unite them in one person, is much safer to be feared than loved, when, of the two, either must be dispensed with.
  In context, that means that if you can make people afraid of trying to hack you, you don't need their respect (or actual competence on your part) to avoid being hacked. Once you've fully domesticated the sheep, you can expect that they won't test their fences any more.
  Of course, this strategy is pre-ordained to fail: the psychology of black-hat is full of a kind of irrational sense of invincibility. Like many other sociopaths, they're always the ones most surprised when they're busted. So the lessons of fear are lost on them. But it certainly seems cheaper to the service provider than actually hardening and resolving exploitable holes.
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
2. Re:refuse to pay? by Opportunist · 2013-08-19 03:24 · Score: 1
  
  Why not crush everybody who might embarrass you?
  Because of groups like Anonymous. They get a kick out of embarrassing people who get really upset about it.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
That's a catch 22 by i+kan+reed · 2013-08-19 02:23 · Score: 4, Insightful

Post what you know to their white-hate system: not reproducible with that information. No money.
Reproduce it yourself: violating TOS. No money.
1. Re:That's a catch 22 by Nerdfest · 2013-08-19 02:26 · Score: 5, Insightful
  
  Sell it on the open market, plenty of money.
2. Re:That's a catch 22 by greg1104 · 2013-08-19 11:58 · Score: 1
  
  Post what you know to their white-hate system
  Facebook says that white hate also violates the TOS.
Re:What next? by Rob+the+Bold · 2013-08-19 02:28 · Score: 3, Funny

So is he going to respond by firing some rockets at them?
WTF? Zuck's got a private army now? Maybe he got some Predators as a thank-you gift from the NSA.

--
I am not a crackpot.
$500 is a lot of money by LifesABeach · 2013-08-19 02:28 · Score: 1, Funny

After Facebook's stock plummet, Mark is pretty hard up for cash; maybe Kahlil Shreateh could cut junior some slack? Lets "face it", super hero underware for staff members is not cheap?
1. Re:$500 is a lot of money by phantomfive · 2013-08-19 02:32 · Score: 2
  
  Have you looked at Facebook's stock recently? It's getting close to the IPO price.
  
  --
  "First they came for the slanderers and i said nothing."
2. Re:$500 is a lot of money by camperdave · 2013-08-19 02:33 · Score: 2
  
  Underware? Is that some sort of page 0 TSR, or BIOS xploit, or something?
  
  --
  When our name is on the back of your car, we're behind you all the way!
3. Re:$500 is a lot of money by rwyoder · 2013-08-19 02:44 · Score: 1
  
  Have you looked at Facebook's stock recently? It's getting close to the IPO price.
  It actually closed a little *over* the IPO price on several days last week.
4. Re:$500 is a lot of money by mysidia · 2013-08-19 14:52 · Score: 1
  
  Have you looked at Facebook's stock recently? It's getting close to the IPO price.
  Its recent stock price is full of hot air; hopes, dreams, and other imaginary stuff, and cannot be justified based on either the company's current, anticipated, or remotely likely future growth at massive levels, let alone based on their intrinsic value.
  I expect them to have a 50% or greater haircut, when the market comes to grips with their irrational exuberance in regards to FB.
  They can do everything right and still "plummet", because their pricing is pie in the sky. FB is in no danger of become bankrupt, and they certainly do have a non-zero intrinsic value; it's just not 1000 times earnings.
5. Re:$500 is a lot of money by phantomfive · 2013-08-19 18:32 · Score: 1
  
  If that happens, I wonder if they'll be able to keep their employees around, or if all the good ones will just leave.
  
  --
  "First they came for the slanderers and i said nothing."
6. Re:$500 is a lot of money by mysidia · 2013-08-20 00:02 · Score: 1
  
  If that happens, I wonder if they'll be able to keep their employees around, or if all the good ones will just leave.
  If they'll bail out just because of some price swings of publicly traded stock, or they were just there because of insanely high valuations, then they are not very good employees.
  You don't work for a company based on its stock price. You invest in a company's shares based on its stock price being below what you believe the shares will be worth; or what you believe those shares will eventually be worth relative to the market and relative to your opportunity costs in regards to other options for investing your cash.
Guilty of being Palestinian by Anonymous Coward · 2013-08-19 02:30 · Score: 1, Interesting

How much you want to bet it's because they don't want to be seen giving money to someone in Palestine?
1. Re:Guilty of being Palestinian by Chris+Mattern · 2013-08-19 02:49 · Score: 4, Insightful
  
  $0. They didn't give him money becuase a) it was a shit bug report and b) corporations are innately averse to giving out money to *anybody*, even if there's a policy saying they have to. Palestine has nothing to do with it.
2. Re:Guilty of being Palestinian by jittles · 2013-08-19 09:41 · Score: 1
  
  $0. They didn't give him money becuase a) it was a shit bug report and b) corporations are innately averse to giving out money to *anybody*, even if there's a policy saying they have to. Palestine has nothing to do with it.
  Maybe Facebook's coffers are so empty that they can't afford to pay a $500 bounty?
Not worth it by phantomfive · 2013-08-19 02:31 · Score: 5, Interesting

Facebook has a policy that it will pay a minimum $500 bounty for any security flaws that a hacker finds.

That's absolutely not worth the money. He's better off taking the publicity he got from this and turning it into a high-paying job.

--
"First they came for the slanderers and i said nothing."
Are all security hacks a TOS violation? by Anonymous Coward · 2013-08-19 02:31 · Score: 1

Because we all know that any security exploit that breaks the TOS would never be used by a Black Hat.
Re:Devil's Advocate by bill_mcgonigle · 2013-08-19 02:38 · Score: 3, Insightful

As for not paying him, aren't these bug bounty systems meant to foster responsible disclosure? I'm pretty sure leveraging an attack you found does not count as such.
It's not 'leveraging an attack' when it's demonstrating the veracity of the claim, to a higher-up employee's wall because the lower level employee ignored you. If there's a problem with his behavior it's that he first posted on the wall of a friend of Zuck, who is not an employee and outside the bug reporting transaction. That was stupid, but a post to Facebook Security's page seems like fair game to demonstrate a problem.
That said, his bug report was complete shit and barely distinguishable from spam. How can he have an IS degree if he can't even write a decent bug report?

--
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
A great way to alienate the white-hat community. by fuzzytv · 2013-08-19 02:44 · Score: 5, Insightful

Good work, Facebook! Kinda resembles what happened at GitHub ~18 months ago: http://www.zdnet.com/blog/security/how-github-handled-getting-hacked/10473
If someone from Facebook reads this, and it's TL;DR; here are the next steps:
#1 apologize to the guy, acknowledge he reported the issue twice
#2 reinstate the account and pay him his reward
#3 fix the damn issue
500 USD? by ebonum · 2013-08-19 02:47 · Score: 1, Insightful

What a joke. Face book should fire the guy costing 150,000 USD a year ( take home pay and all in cost to FB are not the same ) who wrote the offending code.
500 USD for a bug is an insult. How much do their QC people make a month? They failed, and they are getting a lot more than 500 USD.
1. Re:500 USD? by Impy+the+Impiuos+Imp · 2013-08-19 03:24 · Score: 3, Insightful
  
  $5000 would be a better starting bounty. What are they expecting, 100,000 bugs?
  
  --
  (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
2. Re:500 USD? by Entropius · 2013-08-19 04:11 · Score: 2
  
  Probably. Have you ever used Facebook? It's buggier than an entomology lab.
3. Re:500 USD? by gameboyhippo · 2013-08-19 09:25 · Score: 1
  
  I'm not sure where anybody has gotten the idea that code is always going to be perfect the first time through even with the most cautious developer. Programming is complex and, especially in the field of security, new breaches are invented all the time. For some, it may not be the developer's code at all, but a library or runtime that the code uses. At the end of the day, programmers who deal with the most complex issues are most likely going to make a mistake somewhere in their code. Yes unit testing and functional testing can mitigate that, but an expectation for code to be 100% bulletproof 100% of the time is silly.
4. Re:500 USD? by fuzzytv · 2013-08-19 12:33 · Score: 1
  
  The nastiest (security) issues I've stumbled upon usually happened at the boundary of multiple components (developed by various teams and therefore multiple individuals). None of them was really the single offender, it was mostly about incorrect assumptions / pieces reimplemented through the lifetime / specifications not detailed enough (well, is there such thing as a complete specification?). And those are the most difficult issues to debug / identify.
  So "fire the guy who wrote the offending code" may not be as simple as it sounds. And even the best developers I know do a mistake from time to time.
Re:A great way to alienate the white-hat community by Skapare · 2013-08-19 02:49 · Score: 2

#4 fire whoever is responsible for him being ignored.

--
now we need to go OSS in diesel cars
Cheapskates by Anonymous Coward · 2013-08-19 02:53 · Score: 4, Funny

Refusing to pay because it violates terms of service? Wait wait, I'm now convinced all my online details are safe. Afterall the terms of service protects me from dishonest hackers, right?
Re: What next? by CanHasDIY · 2013-08-19 02:56 · Score: 2, Funny

Yes, Preditors are often overlooked. Just cover yourself with mud and smash them with a log and you'll be fine. Or stay out of the jungles which is their primary habitat.
Tell that to Danny Glover.

--
An enigma, wrapped in a riddle, shrouded in bacon and cheese
Trying to save face... by oh_my_080980980 · 2013-08-19 03:10 · Score: 1

You were warned repeatedly and ignored it. FU.
Not illegal by schneidafunk · 2013-08-19 03:12 · Score: 1

I think you are mistaking illegal versus violating terms of service. He did nothing illegal.

--
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
1. Re:Not illegal by CanHasDIY · 2013-08-19 03:22 · Score: 1
  
  If that were the case, I likely wouldn't have listed both.
  Pretty sure compromising a remote system that does not belong to you without permission is a violation of the Computer Fraud and Abuse Act.
  
  --
  An enigma, wrapped in a riddle, shrouded in bacon and cheese
2. Re:Not illegal by IcarusMoth · 2013-08-19 03:28 · Score: 1
  
  So, American laws now apply to foreign nationals who are not in America? That's awesome! U-S-A! U-S-A! Unless of course he's a foreign national outside the legal borders of America and therefore not subject to American laws. ...one of the two...
3. Re:Not illegal by CanHasDIY · 2013-08-19 03:40 · Score: 1, Insightful
  
  So, American laws now apply to foreign nationals who are not in America?
  A) Have you been sleeping the past decade or so? If the non-American government acquiesces to the US Government demands, then yes, apparently they do. Not that I agree with the practice.
  B) The dude in question is a Palestinian. Really, if you know anything about US/Isreali/Palestinian relations, that should be all I have to say.
  The childishness in the center of your statements was completely without necessity.
  
  --
  An enigma, wrapped in a riddle, shrouded in bacon and cheese
4. Re:Not illegal by schneidafunk · 2013-08-19 03:48 · Score: 1
  
  Maybe you should read up on the law instead of speculating; It relates to financial institutes & the government. Or you could RTFA and see that it states clearly "his actions violated Facebook's Terms of Service".
  
  --
  Some people die at 25 and aren't buried until 75. -Benjamin Franklin
5. Re:Not illegal by X0563511 · 2013-08-19 04:00 · Score: 1
  
  CFAA: the worst, most overreaching, over-broad, and over-abused set of laws to ever "grace" our legal system.
  Well, next to interstate commerce.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
6. Re:Not illegal by CanHasDIY · 2013-08-19 04:12 · Score: 1
  
  Maybe you should read up on the law instead of speculating; It relates to financial institutes & the government.
  The law states that the CFAA is limited to systems that "have a compelling federal interest;" considering that it's well known that the government monitors facebook traffic, and possibly even has equipment running at the facebook datacenter, it's not a stretch to see how they could apply the CFAA to social media traffic. Again, don't agree with the practice, but I can see the potential for charges.
  
  Or you could RTFA and see that it states clearly "his actions violated Facebook's Terms of Service".
  Are you really claiming that one cannot both violate a ToS and a law simultaneously? Just because one was mentioned and not the other does not mean that the other is not a distinct possibility - it could mean that whoever wrote TFA failed to do their due diligence.
  
  --
  An enigma, wrapped in a riddle, shrouded in bacon and cheese
7. Re:Not illegal by IcarusMoth · 2013-08-19 04:13 · Score: 1
  
  I'm sorry if you thought that it was childish. I think that the Team America World Police view of international laws and policies that you expressed bordered on insipid.
  
  Sure, the USA/Israeli semi-religious, hemi-apocalyptic, demi-political, mutually sycophantic, sociopathy enabling relationship; and tacit acceptance of antagonism towards the Palestine and it's people does complicate the issue. But, it only does so insomuch as Israel might send in the Mossad, crack some skulls, and the US will say "You did a bad thing, Izzy. Here is another few billion dollars not to do it again."
  
  But there you go expecting the Palestinians to extradite someone who is apparently bright and more over, reasonably minded to a country that gives 9x the annual aid to their unfriendly, oppressive neighbor. Seems that you are not understanding the realities of international justice and the treaties governing enforcement of international laws.
8. Re:Not illegal by CanHasDIY · 2013-08-19 06:24 · Score: 1
  
  But there you go expecting the Palestinians...
  I elicited no such expectation, so please refrain from putting words in my mouth; I have no idea where your hands have been.
  
  --
  An enigma, wrapped in a riddle, shrouded in bacon and cheese
9. Re:Not illegal by sjames · 2013-08-19 10:34 · Score: 1
  
  If I were a lawyer, I might argue that offering the bounty on bugs implies permission to look for bugs.
Re:Minions!!! by Opportunist · 2013-08-19 03:30 · Score: 2

To get to the corporate morass, they certainly wouldn't have to decline...

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Google has a much better bounty program... by slashkitty · 2013-08-19 03:32 · Score: 3, Informative

They pay $7,500 for an XSS bug, more for more serious bugs. Facebook better think about their program before a more serious bug is made public or exploited privately.

--
-- these are only opinions and they might not be mine.
stupid me by Anonymous Coward · 2013-08-19 03:42 · Score: 1

Well what did he expect
When a Palestinian goes and invades the home (page) of someone called Zuckerberg.
Is despicable and horrible and would never happen in the real world.....oh hang on a minute
Well if they won't pay up by DrXym · 2013-08-19 03:50 · Score: 1

Don't tell them how it was done. No threats, no extortion, just don't tell them. Let them figure it out on their own dime.
Re:Not worth it, possible troll by phantomfive · 2013-08-19 04:02 · Score: 2

FB is so for iPhone using grandparents that even their engineers don;t take threats seriously... really is anyone still using that thing?
You should check it out, you'd probably like it. With grammar like that, you'd fit right in!

--
"First they came for the slanderers and i said nothing."
translation by slashmydots · 2013-08-19 04:18 · Score: 1

What they meant to say was "That report is received by an intern who doesn't give a damn because we don't take security seriously."
Same old same old by Arith · 2013-08-19 04:41 · Score: 1

Good to see they're still proactive. Somewhere around 2009 I came across a phishing scam to catch Facbook logins. On a whim I dug around the fake login page and I was able to glean over 15 thousand people's login info. I went to Facebook to do the right thing: "Hey, so and so is running a phishing scam and has their payload open to the WORLD.. might want to notify these thousands of people". The reply? A canned response: "So you are having trouble with your password information ..." What a joke.
Re: Very different... by dannys42 · 2013-08-19 04:43 · Score: 2

That's a very good point. Bug tracking systems (public and even private) should also have a way to track the reliability of submitters. I've been with the open source community since before "open source" was a phrase, and sadly from what I've seen, the community still seems to lack an understanding of the human side of things at pretty much all levels. And from how GNOME has been shaped through the years, it only seems to be getting worse.
Re:Jordan by Minwee · 2013-08-19 04:44 · Score: 2

There is no website that has a good security
Nonsense. My web site has perfect security. OK, it has zero reachability, but hey, you have to pay a price. ;-)
Ahh, the "Switched off and unplugged locked in a titanium lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards" security model. A wise choice.
Not enough technical info? So... get some more by FuzzNugget · 2013-08-19 04:49 · Score: 2

I can buy that the submitted report "did not have enough technical information" to take action, but your response is ... uh, eh fuck it?

How about you follow up by contacting the submitter for more information.
$500 bait by LoRdTAW · 2013-08-19 05:08 · Score: 2

Hacker: I found a major exploit in your system. Here are the details.
Facebook engineers: (to themselves) Shit, he may be right but we can't reproduce it and we don't want to get into trouble. Just sweep it under the rug.
Hacker: I filed a major bug report and you didn't respond, here are more details in case you needed more help.
Facebook engineers: (to themselves) Oh fuck. That is going to be a lot of work to fix. File this one under the rug again. I hope I get a better offer from Google or Apple before the shit hits the fan.
Hacker: (hacks Zuckerberg's account) That will get their attention.
Zuckerberg to FB engineers: WHAT THE FUCK! How did this happen! I want answers now or heads start rolling!
FB engineers: Shit Shit Shit Shit Shit... contact that guy and see what he did ASAP! Oh god oh god oh god..........
Facebook/Zuckerberg: This is a major embarrassment but I still don't want to give that little bastard any credit for exposing our laziness. Reward denied.
Re:Devil's Advocate by dgatwood · 2013-08-19 05:22 · Score: 2

How can he have an IS degree if he can't even write a decent bug report?
Most universities (even in the U.S.) don't teach that skill. I'm not at all surprised. Even many fully employed software developers write terrible initial reports. My experience has been that on average, bug reports go back to the originator a couple of times just to collect the basics, and that's not including the number of times that the engineers bounce bugs back with suggestions like "Try [x] and see if that works" that are intended both to help the person get up and running and to determine the scope of the problem more fully.

--
Check out my sci-fi/humor trilogy at PatriotsBooks.
Re:This is so bad by dgatwood · 2013-08-19 05:29 · Score: 3, Insightful

This. As soon as a bug bounty program is shown to not actually pay out when a real security flaw is found, it becomes a worthless program. From now on, instead of telling Facebook, the not-insignificant percentage of hackers for whom the bounty was the only reason to report it to FB will simply disclose the flaw immediately, resulting in a significant reduction in the site's security for everyone.

--
Check out my sci-fi/humor trilogy at PatriotsBooks.
Nice job sparing 500$, facebook! by roscocoltran · 2013-08-19 05:41 · Score: 1

This is probably worth the risk of seeing more aggressive hackers in the future.
BS.. by SuperDre · 2013-08-19 06:06 · Score: 3, Insightful

Have you people actually seen the email-conversation between him and facebook?
Well if you have, you know HE is just a moron for making it public as he didn't send facebook a step-by-step on how to recreate the bug, all he did was say 'he I can post a message on someonelses wall without being a friend'.. and after facebook asked some details all he did was post a link to a post he made.. the man is a moron, if he's a "security researcher" then he should at least know how to do a proper bug-report.. Facebook get's so many fake bug-reports (with photoshopped images) from people who hope they can get a bounty..
1. Re:BS.. by someone1234 · 2013-08-19 09:56 · Score: 1
  
  Well, they found the bug after he demonstrated the vulnerability, so this security team sucks.
  They should probably create a test account and let people try and vandalize that.
  Anyway, they should have paid the 500 bucks regardless if the guy is a moron or not.
  He pointed out a real vulnerability. This actions increased the worth of Facebook (well, it would have been increased more if the sec team is not a bunch of jerks).
  
  --
  Patents Drive Free Software as Hurricanes Drive Construction Industry
Unjust Enrichment by Sentrion · 2013-08-19 06:12 · Score: 2

IANAL, but this case sounds like it might be a good candidate for an unjust enrichment lawsuit. If Zuckerborg refuses to pay the $500 bounty on the grounds that FB terms of use were violated, then shouldn't they pay the hacker "fair market value" for identifying the bug? After all, FB openly solicited bug reports from the general public with a promise of compensation. And did FB not implement new safeguards after they found out the exploit was legitimate, as evidenced by Zuckerberg's hacked page?
If my neighbor hires a painter, and the painter paints my house instead of my neighbor's house, and I stand by and watch the painter work on my house without informing the painter he is working on the wrong house, then I am obligated to pay the painter the amount he would have charged my neighbor for the work performed. Absent any written agreement, the amount due would be based on the fair market value of the labor performed plus a generally accepted markup for the cost of materials.
So now I'm curious, what would be the fair market value for finding an exploit that would allow a hacker to alter Mr. Zuckerberg's own FB page? Given that the IRS can tax certain unsaleable items based on "illicit market" value, could the "street value" of Mr. Shreateh's findings be considered for valuation given that there is no "fair" market value, since such a value implies that there exists a market, meaning more than one possible customer legally able and willing to make an offer for such findings?
Read more: http://lancasteronline.com/article/local/607346_IRS-values-stolen-or-illegal-items-at-black-market-rate.html#ixzz2cRIxNEoC
1. Re:Unjust Enrichment by mysidia · 2013-08-19 15:02 · Score: 1
  
  If my neighbor hires a painter, and the painter paints my house instead of my neighbor's house, and I stand by and watch the painter work on my house without informing the painter he is working on the wrong house, then I am obligated to pay the painter the amount he would have charged my neighbor for the work performed.
  Wait: no. There's a problem with that. You can't have part of your house painted, and then have the painter stop: that would look horrible.
  I have a right to not have my house painted against my will. But if someone starts painting my house; I have a right to not have a combination of discolored old paint and patches of new paint.
  The painter owes me to make it right. He's got to complete the job, or pay me to have someone fix it.
haxormania by hesaigo999ca · 2013-08-19 06:22 · Score: 2

Mark considers himself a haxor, so do many others that use his app. Some are smarter then others, this one proved he was, and went so far as to show the creator of facebook he was, instead of 500$ , I would have asked for a job, and some cigars, love those cigars, and maybe a bottle of tequila.... but never money!
Its the principle of it all
CNR by The+Grim+Reefer · 2013-08-19 06:41 · Score: 3, Funny

This XKCD seems appropriate. The first time I saw it I almost fell out of my chair laughing. At my previous company I practically had to write a doctoral thesis to get simple obvious bugs fixed.
Mess with Facebook? by PPH · 2013-08-19 07:14 · Score: 1

Perhaps Shreateh can get asylum in Russia.

--
Have gnu, will travel.
bullshit by shentino · 2013-08-19 07:23 · Score: 2

He reported the bug BEFORE he violated the facebook TOS.
So Facebook is just using the TOS violation as an excuse for *retroactive* denial of the bounty *he had already earned*.
Facebook is being evil, yet again. by runeghost · 2013-08-19 07:29 · Score: 1

Realisitically, what are the chances that even the most vile possible behavior by Facebook will even scratch their bottom line?
Facebook delenda est.
oh dear... by Anonymous Coward · 2013-08-19 10:40 · Score: 1

a jew's company really has refused to pay a palestinian money, and now spend real time and energy trying to make it look like the palestinian's fault. You couldn't script it.
just a suggestion by roc97007 · 2013-08-19 13:03 · Score: 1

If Facebook won't pay him the $500, we should pass the hat around. Such chutzpa should be encouraged.

--
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Stupid, soft-headed moderators by gd2shoe · 2013-08-19 13:25 · Score: 1

Oh, come on moderators. -1 offtopic? I'm exactly on topic responding to parent. Is it because you find him funny (and totally unable to understand gpp), but the truth is too inconvenient for you?
I speak bad about Palestine (which has epic violence problems), and it doesn't matter that I throw Israel under the bus too? I spoke bad about the "victims" therefore I must be a bad person, and must be modded down? There is no excusing anyone who stands up for the violent, hateful, racist scumbags that shoot rockets from Palestine at Israel's civilians.
If they wanted real change, the rest of the world is ready to be sympathetic... but can't be while Palestine's moron population is trying to prove just how terrible it can be. The murderous lunatics are only slowing peace down. The real victims are the dead and suffering, on both sides of the wall. Yes, I guess I actually am calling for people to think of the children.

--
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
Re:Not securing a service is criminal too. by mysidia · 2013-08-19 14:46 · Score: 1

It's illegal but not criminal. The recourse is civil.
Re:This is so bad by mysidia · 2013-08-19 14:58 · Score: 1

FB will simply disclose the flaw immediately, resulting in a significant reduction in the site's security for everyone.
Why bother disclosing the flaw at all?
They'll probably just anonymously announce that they found it; hint that it might be available for the right price, if someone is sufficiently interested.