Security Researcher Makes His Point By Hacking Into Zuckerberg's Facebook Page

← Back to Stories (view on slashdot.org)

Security Researcher Makes His Point By Hacking Into Zuckerberg's Facebook Page

Posted by samzenpus on Monday August 19, 2013 @02:15AM from the do-you-see-it-now? dept.

Eugriped3z writes "Whitehat Palestinian hacker Kahlil Shreateh submitted a bug report to Facebook's Whitehat bug reporting page not once, but twice. After it was ignored the first time and denied outright on the second occasion (which included links to an example as proof), he hacked Mark Zuckerberg's personal timeline, leaving both an explanation and an apology. From the article: 'In less than a minute, Shreateh's Facebook account was suspended and he was contacted by a Facebook security engineer requesting all the details of the exploit. 'Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it,' the engineer wrote in an email. 'We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue.' Facebook has a policy that it will pay a minimum $500 bounty for any security flaws that a hacker finds. However, the company has refused to pay Shreateh for discovering the vulnerability because his actions violated Facebook's Terms of Service.'"

40 of 266 comments (clear)

Min score:

Reason:

Sort:

Take it public by scubamage · 2013-08-19 02:17 · Score: 5, Insightful

Screw them, the onus is on them to take action when someone reports a bug. If you don't have enough information when there is a security problem, maybe, JUST MAYBE, you should follow up with the submitter. If I was the submitter I'd just publish the exploit and be done with it.
1. Re:Take it public by gl4ss · 2013-08-19 02:22 · Score: 4, Insightful
  
  They don't follow up on anything, I checked.
  It might be because they're so swamped or maybe it's that if they feel like it's not their bug then they don't do anything. Either way not very responsive.
  
  --
  world was created 5 seconds before this post as it is.
2. Re:Take it public by SQLGuru · 2013-08-19 02:37 · Score: 5, Insightful
  
  I read the guy's own post about it. He reported what he could do and not the steps required to exploit it. The Facebook team couldn't reproduce it as a bug (since there were no repro steps) and closed it as "not a bug".
  So really, the problem was one of communication. The guy has the problem a lot of my clients/users have in that they don't give enough detail to investigate the bug and Facebook didn't really follow what he was trying to say (since he just sent them links saying "look what I did"). I'm not saying he didn't legitimately find an exploit and probably deserves some bounty ($500 is nothing to a company like Facebook), but Facebook should probably have some guidelines for how to submit bugs.
  Aside - what any bug report needs:
  * What action were you taking?
  * What result did you observe?
  * What result did you expect?
  * Are there specific data values that always exhibit the symptom?
  * Are there specific data values that do not exhibit the symptom?
  * Reproduction steps (be as detailed as possible)
  * Any other useful details about the bug (error messages, screen shots, etc.)
3. Re:Take it public by Anonymous Coward · 2013-08-19 02:37 · Score: 5, Insightful
  
  I'm a QA analyst, and the quote: "We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue." is totally incorrect. An issue does not have to be reproducable in order to warrant some debugging and investigation.
4. Re:Take it public by Skapare · 2013-08-19 02:44 · Score: 5, Insightful
  
  If YOU could read the guy's post, then that would be the WRONG place for him to put the details about how to reproduce it. Facebook engineers should have contacted HIM, directly, by a secure means, to get those details. If Facebook engineers expect exploits to be posted in a public forum, then it is THEY who are doing this wrong.
  
  --
  now we need to go OSS in diesel cars
5. Re:Take it public by Opportunist · 2013-08-19 03:11 · Score: 5, Insightful
  
  The severity of a problem determines whether it pays to investigate. An odd crash once a week with no repeatable underlying condition and no data loss doesn't warrant a through investigation.
  A severe security hole DOES! Almost invariably. Anything that allows an attacker to gain access in some way IS a reason for an investigation. The crucial point here is that undoing the damage is nearly impossible. With a crash, you can reenter the data and undo the damage. With a security breach, the data is out and there is NO way you can undo the damage, once data is out, it IS out.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
6. Re:Take it public by Opportunist · 2013-08-19 03:13 · Score: 3, Insightful
  
  'scuse me, but 500 bucks is peanuts for a 0day full-access security hole in FB. Tack a few 0s to that and we'll start talking.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
7. Re:Take it public by Anonymous Coward · 2013-08-19 03:21 · Score: 5, Insightful
  
  I'm a programmer too. You ALWAYS respond to issues, even if it's just, "Can't Reproduce: Not enough info in bug report."
8. Re:Take it public by GNious · 2013-08-19 03:28 · Score: 5, Insightful
  
  This is why you change the Bug Status from "New" to "Need More Information", and NOT to "Closed" or "Get Lost, Ass".
9. Re:Take it public by dgatwood · 2013-08-19 03:31 · Score: 4, Insightful
  
  No, not almost invariably. Invariably. You always follow up on security hole bug reports. Always. If you do not do this, you are incompetent. Assuming this security researcher gave them a reasonable amount of time (the summary here doesn't say), then this is once again a demonstration of Facebook talking "secure" but implementing the opposite, hyping their bounty program while refusing to pay out.
  For that matter, you should always follow up on non-security bug reports unless they're obvious garbage (e.g. porn site spam submitted to your bug reporting page by a bot). But security bugs? There's no excuse for not following up on those. Ever. EVER.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
10. Re:Take it public by Rob+the+Bold · 2013-08-19 03:32 · Score: 4, Insightful
  
  I'm a QA analyst, and the quote: "We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue." is totally incorrect. An issue does not have to be reproducable in order to warrant some debugging and investigation.
  Maybe they just don't have the technology to request additional info from the reporter. Maybe that's not part of the protocol there. If it were my job to handle bug reports and I didn't want to be hassled with work, I'd require a complete bug description, including exact description of systems used and all steps to reproduce reported in exactly the format I'm expecting. I'd also make sure my instructions and description of the report format were just a little vague, so the user would be forced to fill in the blanks, further reducing the odds that the report would be "valid". Maybe I'd require some info that most bug reporters would think irrelevant or inapplicable to most bugs -- you know, just to tempt them to skip that part. Then I could pretty much close every ticket with "can't reproduce" and screw around on facebook all day -- for quality assurance purposes, of course.
  
  --
  I am not a crackpot.
11. Re:Take it public by X0563511 · 2013-08-19 03:53 · Score: 4, Informative
  
  Hell you should at least respond to the reporter! "Can you provide more detail?" and then waiting for said detail is infinity better than ignoring or rejecting it.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
12. Re:Take it public by jovius · 2013-08-19 04:03 · Score: 5, Informative
  
  Incidentally I was just reading about the issue... Market research numbers from last year.
  
  $5000 - $30,000 Adobe Reader
  $20,000 - $50,000 Mac OSX
  $30,000 - $60,000 Android
  $40,000 - $100,000 Flash or Java Browser Plug-Ins
  $50,000 - $100,000 Microsoft Word
  $60,000 - $120,000 Windows
  $60,000 - $150,000 Firefox or Safari
  $80,000 - $200,000 Chrome or IE
  $100,000 - $250,000 iOS
13. Re:Take it public by Anonymous Coward · 2013-08-19 04:18 · Score: 4, Informative
  
  Exactly. I once reported a bug which caused corruption of Linux configuration files. A simple change through an approved interface would eventually cause the keyboard to stop working because a configuration file was corrupted, making even rebooting a problem. I even got my company IT department involved to figure out what was going on. (The discovered the corrupted configuration file.) To recover it seemed the only path for me was to reinstall the OS. I'm not a Linux developer at all, just a victim of the bug, but I wanted to be helpful. I spent about 10 hours over several days attempting to reproduce the bug and eventually got it down to a series of steps with a 70% likelihood of causing the problem. I decided to report it through proper channels ... do A, B, and C and notice that this file is corrupted at this location. I figured I'd given someone enough information for a knowledgeable person to act on and was kind of proud of myself for going out of my way to help instead of just ranting about the horrible state of Linux.
  The result was a message from the development team asking me to take the bug and work on a fix. When I responded that I wasn't in any position to do that I got a nasty "won't fix" status on the bug an a sarcastic remark that "that's the way the community works. If you want a bug fixed then you have to be willing to work on it yourself."
  l figured the time I had put in to reproduce the problem and report it was my contribution. I don't know if it ever got fixed. I don't care. /rant
  TL:DR When someone reports a bug and gives even the slightest details of how to reproduce it or indicates the consequences of the bug are serious, don't just slap him in the face and tell him to get lost. If you need more information then ask for it.
14. Re:Take it public by freezin+fat+guy · 2013-08-19 04:20 · Score: 4, Insightful
  
  They don't follow up on anything, I checked.
  Nobody enjoys following up on things in which they have absolutely no interest.
  Facebook have proven exceedingly reliable at not caring about their user's security or privacy.
  Having living proof of a hack is especially annoying because it actually forces them to respond and improve user security. Fankly, I'm surprised they are pressing charges.
15. Re:Take it public by fzammett · 2013-08-19 04:24 · Score: 3, Insightful
  
  Exactly, and I'm surprised people are arguing anything but this. Even for a report that you completely believe to be bogus, what time does it take to reply "hey, can I get more info?" Best case, it WAS bogus, and you never hear from the person again. You "wasted" all of 30 seconds. For a company like Facebook, that should be a trivial investment when the downside of an ACTUAL security problem is so bad. Assuming the report that they didn't reply in any way is accurate, then THIS is where Facebook fell down worst, and it's what is inexcusable.
  
  --
  If a pion (n-) collides with a proton in the woods & noone is there to hear it, does lamdba decay into the source pa
16. Re:Take it public by dgatwood · 2013-08-19 04:37 · Score: 5, Interesting
  
  Basically all he did is say "I posted to someone's timeline, this is a bug" and linked to the post he made. He didn't explain anything.
  Bzzt. If Facebook's logging weren't broken, that should be all they need. The existence of the post itself, having been posted to a wall where he should not have been allowed to post, should have been enough to determine trivially that the bug was real. Further, the post's database record should contain the posting IP address and the ID of the server that handled the request. From there, they should have been able to look at the server's request logs to determine precisely how the attack happened (assuming the researcher was using a structurally valid URL in the request, as opposed to exploiting a null character handling bug in the web server itself).
  But even if they looked at the logs and couldn't figure out what happened, IMO, it is still completely unacceptable to just close a bug like this. It's one of those bugs that, if real, is borderline catastrophic in scope. You do not close a bug like that as "cannot reproduce". You contact the originator and say, "Hey, can we get more information about this? We need to try to reproduce the problem."
  It's sad that it takes somebody posting on the CEO's Facebook page to get the attention of Facebook's security staff. This means one of two things: they are grossly mismanaged or are woefully understaffed—probably the latter, IMO. Either way, it tells me that Facebook does not take security seriously enough. If bug screeners do not have time to properly follow up on bugs that are this severe, then they need to double or even triple the number of screeners.
  Also, this brings into serious question the way that Facebook screens bugs in the first place. Where I work, a bug like this would have been tagged as a security bug the moment it came in. This causes additional people to review the bug, significantly reducing the likelihood of a serious mistake. Closing the bug without asking for more information strongly suggests that a single, hopelessly overworked individual made a mistake, and that the company as a whole failed to have proper processes in place to ensure additional review that would otherwise have caught that mistake quickly and followed up with the original reporter. Not good. Not good at all.
  And as long as I'm criticizing Facebook's security practices, IMO, a service like this should have several publicly visible, official security testing accounts for precisely this purpose, with various restrictions on various posts, etc. so that security researchers can properly hammer on their site's security. For example, there should be an official test account that looks an awful lot like Mark Zuckerberg's account. If a researcher is able to post on the wall of that account, there can be no doubt whatsoever about the fact that a bug exists. Likewise, there should be more complex accounts with various security settings, complete with a list of that content and the expected behavior (e.g. you should not be able to read the barcode image entitled "nude_selfie_for_my_boyfriend.jpg").
  In short, I suspect there's plenty of blame to go around for this error. What matters is not who gets blamed, but rather how Facebook fixes their processes to ensure that such mistakes do not get made in the future. And I would emphasize that this does not involve firing anyone. People make mistakes. That's why processes are supposed to be designed to mitigate those mistakes. A company like Facebook is big enough that they should know this. If they don't, then perhaps this object lesson will get their attention and cause them to change their ways. If not, it's time to run, not walk, to a competing service.
  Either way, what the researcher did was IMO wholly appropriate. He initially performed the smallest attack that could potentially have proven that there was a flaw. When the first report was casually dismissed, he then escalated that attack,
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
17. Re:Take it public by dgatwood · 2013-08-19 04:50 · Score: 4, Interesting
  
  Imagine you're Facebook and you're getting piles of "I can post on someone else's timeline!" Well, you can be 99.999% of those cases are probably one of user error - as in, the user reporting it could do it because the permissions said so.
  Even if you're right, and 99% are bogus, there's no excuse for having a process where you choose "Not a bug" instead of "Need more information" with a request for steps to reproduce. That should be drilled into employees as the only valid response until they are relatively certain that the problem was user error. This culling was premature; you must assume that the bug *might* need investigation until it is clear that it does not. Anything less is negligence.
  But the bigger problem is that there's no good way for Facebook to be certain that it wasn't user error unless the account is known (by Facebook) to have settings that should have prevented posting. That's what makes the CEO's page an obvious choice. IMO, there's also no excuse for a company the size of Facebook to not provide an account that is preconfigured to not allow posts so that if a researcher successfully posts on it, the subsequent security bug report has automatic credibility (and, hopefully, additional logging by Facebook's servers, immediate reaction from their security response team, etc.). Perhaps call the test account Zark Muckerberg.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
18. Re:Take it public by Frobnicator · 2013-08-19 04:57 · Score: 4, Insightful
  
  Assuming the report that they didn't reply in any way is accurate, then THIS is where Facebook fell down worst, and it's what is inexcusable.
  
  Seems like Facebook employees forgot the reason they pay for the bounty program in the first place. It is to provide an incentive to report it to the company rather than reporting it to the black market for exploits.
  A few seconds on Google will show the going rates of black market zero-day exploits for various services. Facebook was offering $500, but now won't pay. Black market rates he can still get about $40,000. (Note that $500USD is a year's salary in most of Pakistan.)
  If he doesn't have the ethics, or if he really wants the money and thinks being in Pakistan makes him outside Facebook's reach, he can still get about 80 years' salary ($40,000) on the black market.
  
  --
  //TODO: Think of witty sig statement
Won't pay? by schneidafunk · 2013-08-19 02:19 · Score: 4, Insightful

Seems to me that Mark is just pissed at being embarrassed, there really is no justification for not paying him. He submitted the bug to their security team first before exploiting it in a harmless way.

--
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
1. Re:Won't pay? by Nerdfest · 2013-08-19 02:22 · Score: 5, Insightful
  
  Perhaps they should pay him extra and thank him ... he could have done much, much, worse, and from a dummy account. He quite obviously wanted to help. Being a dick to people trying to help you is not a great way to encourage others.
2. Re:Won't pay? by schneidafunk · 2013-08-19 02:24 · Score: 3, Insightful
  
  Exactly. You raise a good point, he used his personal account, which ended up getting suspended.
  
  --
  Some people die at 25 and aren't buried until 75. -Benjamin Franklin
3. Re:Won't pay? by afidel · 2013-08-19 02:24 · Score: 5, Insightful
  
  Ding! Next time maybe he sells it on the black market instead of trying repeatedly to inform a company that obviously doesn't give a crap about security.
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
4. Re:Won't pay? by IronOxen · 2013-08-19 02:33 · Score: 5, Insightful
  
  Actually, he also exposed a bug in the bug reporting system that prevents it from responding to and or acknowledging the exact type of vulnerabilities it was designed to find. It was obviously repeatable since the vulnerability was reported twice and was ignored both times. He should be paid for that one as well.
5. Re:Won't pay? by Nemesisghost · 2013-08-19 02:40 · Score: 4, Insightful
  
  So you are saying they should pay him and thank him, because he committed a worse offence than he did?
  Yes. He tried to use their own method for reporting such problems. If he had just hacked it outright before telling them, then that'd be a different story. But when a company fails to use the information provided to them from their own communication channels, especially when it seems that they did so to screw someone out of a reward, then they deserve what they go & should still pay up.
6. Re:Won't pay? by Chris+Mattern · 2013-08-19 02:46 · Score: 3, Interesting
  
  No they aren't, because *finding* a security flaw is not the same thing as illegally *exploiting* a security flaw. If you need a proof of concept, you can hack your own account.
7. Re:Won't pay? by ArhcAngel · 2013-08-19 02:54 · Score: 4, Insightful
  
  Hacking into someone's account is a criminal offence.
  It was not hacking since Facebook said themselves it was not a bug. Therefore it must be a feature and taking advantage of a feature is not hacking. Now if someone were to take advantage of that feature on my account I would sue Facebook for providing said feature and point to their own forum as evidence.
  
  --
  "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
That's a catch 22 by i+kan+reed · 2013-08-19 02:23 · Score: 4, Insightful

Post what you know to their white-hate system: not reproducible with that information. No money.
Reproduce it yourself: violating TOS. No money.
1. Re:That's a catch 22 by Nerdfest · 2013-08-19 02:26 · Score: 5, Insightful
  
  Sell it on the open market, plenty of money.
Re:What next? by Rob+the+Bold · 2013-08-19 02:28 · Score: 3, Funny

So is he going to respond by firing some rockets at them?
WTF? Zuck's got a private army now? Maybe he got some Predators as a thank-you gift from the NSA.

--
I am not a crackpot.
Not worth it by phantomfive · 2013-08-19 02:31 · Score: 5, Interesting

Facebook has a policy that it will pay a minimum $500 bounty for any security flaws that a hacker finds.

That's absolutely not worth the money. He's better off taking the publicity he got from this and turning it into a high-paying job.

--
"First they came for the slanderers and i said nothing."
Re:Devil's Advocate by bill_mcgonigle · 2013-08-19 02:38 · Score: 3, Insightful

As for not paying him, aren't these bug bounty systems meant to foster responsible disclosure? I'm pretty sure leveraging an attack you found does not count as such.
It's not 'leveraging an attack' when it's demonstrating the veracity of the claim, to a higher-up employee's wall because the lower level employee ignored you. If there's a problem with his behavior it's that he first posted on the wall of a friend of Zuck, who is not an employee and outside the bug reporting transaction. That was stupid, but a post to Facebook Security's page seems like fair game to demonstrate a problem.
That said, his bug report was complete shit and barely distinguishable from spam. How can he have an IS degree if he can't even write a decent bug report?

--
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
A great way to alienate the white-hat community. by fuzzytv · 2013-08-19 02:44 · Score: 5, Insightful

Good work, Facebook! Kinda resembles what happened at GitHub ~18 months ago: http://www.zdnet.com/blog/security/how-github-handled-getting-hacked/10473
If someone from Facebook reads this, and it's TL;DR; here are the next steps:
#1 apologize to the guy, acknowledge he reported the issue twice
#2 reinstate the account and pay him his reward
#3 fix the damn issue
Re:Guilty of being Palestinian by Chris+Mattern · 2013-08-19 02:49 · Score: 4, Insightful

$0. They didn't give him money becuase a) it was a shit bug report and b) corporations are innately averse to giving out money to *anybody*, even if there's a policy saying they have to. Palestine has nothing to do with it.
Cheapskates by Anonymous Coward · 2013-08-19 02:53 · Score: 4, Funny

Refusing to pay because it violates terms of service? Wait wait, I'm now convinced all my online details are safe. Afterall the terms of service protects me from dishonest hackers, right?
Re:500 USD? by Impy+the+Impiuos+Imp · 2013-08-19 03:24 · Score: 3, Insightful

$5000 would be a better starting bounty. What are they expecting, 100,000 bugs?

--
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Google has a much better bounty program... by slashkitty · 2013-08-19 03:32 · Score: 3, Informative

They pay $7,500 for an XSS bug, more for more serious bugs. Facebook better think about their program before a more serious bug is made public or exploited privately.

--
-- these are only opinions and they might not be mine.
Re:This is so bad by dgatwood · 2013-08-19 05:29 · Score: 3, Insightful

This. As soon as a bug bounty program is shown to not actually pay out when a real security flaw is found, it becomes a worthless program. From now on, instead of telling Facebook, the not-insignificant percentage of hackers for whom the bounty was the only reason to report it to FB will simply disclose the flaw immediately, resulting in a significant reduction in the site's security for everyone.

--
Check out my sci-fi/humor trilogy at PatriotsBooks.
BS.. by SuperDre · 2013-08-19 06:06 · Score: 3, Insightful

Have you people actually seen the email-conversation between him and facebook?
Well if you have, you know HE is just a moron for making it public as he didn't send facebook a step-by-step on how to recreate the bug, all he did was say 'he I can post a message on someonelses wall without being a friend'.. and after facebook asked some details all he did was post a link to a post he made.. the man is a moron, if he's a "security researcher" then he should at least know how to do a proper bug-report.. Facebook get's so many fake bug-reports (with photoshopped images) from people who hope they can get a bounty..
CNR by The+Grim+Reefer · 2013-08-19 06:41 · Score: 3, Funny

This XKCD seems appropriate. The first time I saw it I almost fell out of my chair laughing. At my previous company I practically had to write a doctoral thesis to get simple obvious bugs fixed.