Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Community Raises $12k For Researcher Snubbed By Facebook

Posted by Soulskill on from the pay-the-man dept.

Trailrunner7 writes "Like most major Web and software companies, Facebook receives a lot of bug reports. And since the company started its bug bounty program, security researchers have become even more interested in looking for vulnerabilities in the Facebook ecosystem. But, as one researcher learned recently, not all bugs are created equal, and Facebook doesn't like people messing with its users – or its executives. That researcher, Khalil Shreateh, discovered a bug in the Facebook platform that enabled him – or any other user – to post comments on the walls of other users who aren't their friends. That shouldn't be possible under normal circumstances, so Shreateh reported the problem to Facebook through its bug bounty program, hoping to earn a reward from the company. Instead, the company told him he didn't provide enough information. So Shreateh went a step further and demonstrated the technique by posting a message to the wall of Facebook founder Mark Zuckerberg. On Aug. 19, after details of the incident became public, Marc Maiffret, a well-known security researcher and CTO of BeyondTrust, started a crowdfunding campaign to get Shreateh a reward for his work. As of Aug. 23, that campaign has raised more than $12,000 and Maiffret is in the process of transferring the funds to the researcher."

95 comments

  1. Zuck, pay up by Anonymous Coward · · Score: 5, Insightful

    nothing more to say

    1. Re:Zuck, pay up by ackthpt · · Score: 5, Funny

      nothing more to say

      Zuck doesn't like to pay up, ask any Winklevoss you meet, they'll tell ya.

      --

      A feeling of having made the same mistake before: Deja Foobar
    2. Re:Zuck, pay up by l0ungeb0y · · Score: 1

      ask any Winklevoss you meet

      *ahem* I believe the correct term is Winklevi

    3. Re: Zuck, pay up by Anonymous Coward · · Score: 0

      Actually, Winklovices, plural of Winklovix, c.f. modern English Winklovess

    4. Re:Zuck, pay up by ackthpt · · Score: 1

      ask any Winklevoss you meet

      *ahem* I believe the correct term is Winklevi

      "Winklevi powers Activate! Form of a lawsuit!"

      I dunno, not sure it's really working for me. :-/

      --

      A feeling of having made the same mistake before: Deja Foobar
    5. Re:Zuck, pay up by LifesABeach · · Score: 3, Funny

      Actually, $500 just became $12,000; I think maybe the little zuck could own up? Or maybe deFacedBook doesn't have the capitol?

    6. Re:Zuck, pay up by davester666 · · Score: 1, Funny

      It doesn't work unless you fist-bump your twin as you say it...

      --
      Sleep your way to a whiter smile...date a dentist!
    7. Re:Zuck, pay up by Beorytis · · Score: 1

      More likely Winklevöss or Winklevossen

    8. Re:Zuck, pay up by Anonymous Coward · · Score: 0

      I'm pretty sure that FB, as big as it may be, doesn't own the Capitol. Yet.

    9. Re:Zuck, pay up by LifesABeach · · Score: 1

      the little c was out of respect to those like the little zucker.

  2. Probably pointless by MikeRT · · Score: 3, Insightful

    And when it reaches a certain level, Facebook may swoop in with their lawyers and claim that it can block him receiving them back it's money earned from a technically criminal act.

    1. Re:Probably pointless by Anonymous Coward · · Score: 0

      no.

    2. Re:Probably pointless by wackybadger · · Score: 1

      Criminal act? Really? It violates Facebook's ToS, but that's it.

    3. Re:Probably pointless by vivaoporto · · Score: 4, Informative

      Violating JSTOR's terms of service landed Aaron Swartz in a world of trouble, seems like it's enough to get you a dozen of felony indictments nowadays

    4. Re:Probably pointless by Anonymous Coward · · Score: 5, Informative

      Technically he was arrested for breaking and entering, as he had to gain physical access to networking equipment to download JSTOR's documents in bulk.

      He was later charged with wire fraud and computer fraud. He didn't just try to download stuff, he actively worked around being blocked when they detected him... over a period of several weeks. He would get blocked and then modify his MAC to get a new IP and start again. He bought a throw away computer and named it Gary Host (GHOST). They eventually blocked entire chunks of the MIT network to stop him... thus he resorted to directly accessing some networking equipment in a restricted area and was filmed doing so while trying to hide his face.

      What he did is wrong. Read the indictment.

      Of course, the overreaction of charges and potential sentences were also wrong. But there is no doubt that he was doing illegal things and he KNEW they were illegal and actively took measures to avoid being identified or caught.

    5. Re:Probably pointless by interval1066 · · Score: 4, Insightful

      He didn't steal the money, nor did he use the bug to get it. It will be a gift from an unconnected 3rd party. Not too sure how this will be a criminal act. Even if they could do it, the only way they could block it is via lawsuit. Unless Facecook has also become a an arm of law enforcement.

      On a more cogent point; you'd think the hip geeks at facebook would have heard of the Streisand Effect, demonstrated over and over again in these cases.

      My girlfriend keeps asking me why I don't apply at facebook,

      --
      Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
    6. Re:Probably pointless by interval1066 · · Score: 1

      Of course, the overreaction of charges...

      They tarred and feathered him for essentially pulling a digital, although an illgal, prank. He was facing serious prison time becuase 1) it was a "hacker" type digital age crime, 2) it embarrassed MIT and the Fed, 3) The Man's reaction to ANY infringement of ANY penal violation is slowly but with increasing pace plain, bald-faced, incarceration; becuase it saves time and money in the short term with an overburdened court system and a legislative branch that measures its productivity in terms of number of bills passed. We're becoming a police state in which anyone who makes a noise and doesn't have money is thrown into prison to get them out of site. Pretty soon they'll be throwing soylant green to everyone who isn't in the 1% and moving on with important things, like making crazy mortgage schemes that bring down entire economies.

      --
      Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
    7. Re:Probably pointless by Nerdfest · · Score: 1

      You should tell her that it's because you have a conscience.

    8. Re:Probably pointless by wbr1 · · Score: 1

      He stole facebooks PRIDE. And, lest you forget, corporations have co-opted law enforcement for years now, see the RIAA/MPAA for examples.

      --
      Silence is a state of mime.
    9. Re:Probably pointless by Anonymous Coward · · Score: 0

      As long as he declares & pays taxes on it as a received gift, he'll probably be fine.

    10. Re:Probably pointless by bad-badtz-maru · · Score: 1

      The CFAA has been used to prosecute, in this manner, for many years. The ToS defines authorized access and unauthorized access is illegal under the CFAA.

    11. Re:Probably pointless by tqk · · Score: 1

      But there is no doubt that he was doing illegal things and he KNEW they were illegal and actively took measures to avoid being identified or caught.

      I'll bet if you watched closely enough, that would describe everybody.

      Did you know it's now illegal to use a pellet gun in city limits? I did that all the time as a kid (no, not shooting windows! :-).

      --
      "Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.
    12. Re:Probably pointless by Anonymous Coward · · Score: 0

      the guy simply did what facebook asked.. he provided more information in the form of an example. duh. i dunno what kinda stick facebook has up their collective asses, but it must be pretty big.

    13. Re:Probably pointless by fahrbot-bot · · Score: 2

      Of course, the overreaction of charges and potential sentences were also wrong. But there is no doubt that he was doing illegal things and he KNEW they were illegal and actively took measures to avoid being identified or caught.

      You know, way (way) back when I was in college, there was a really bright student who could circumvent the all local security measures. The CS department simply offered him a job - and he accepted (to the mutual benefit of the student and department).

      --
      It must have been something you assimilated. . . .
    14. Re:Probably pointless by Anonymous Coward · · Score: 0

      Analogy:

      Someone builds a house that they allow others to walk into, so long as they have a key. Each person gets their own room, and are able to allow others into that room, or not. The owner also mentions to everyone that if they find a way to get in any room without a key/permission and let the owner know, they get $500. Someone that has a key says, "Hey guys, there's a huge hole in the wall in each room that would allow anyone to get in any room. It looks like a window, but there's no glass in it, so you can just walk in." The home-owner says, "umm, nah, there's glass in there, move along." So the guy says, "oh yeah, well watch this shit..." and proceeds to walk through the owner's room in order to prove that what the owner thought was glass, in fact wasn't.

      After this, what you're saying is that the owner has the right to call the cops because the guy broke in? I don't think that this is in any way similar to Aaron's case. I think that the guy should be able to sue facebook for $500. But then again, I think it's best to leave facebook alone, because it's fucking pathetic. Facebook, It's the treadmill of social interactions, and should be folded up and left in the corner of a room that never gets used.

    15. Re:Probably pointless by Anonymous Coward · · Score: 0

      Haha give me a break. I don't know anyone that isn't aware that breaking and entering is a crime.

    16. Re:Probably pointless by metrix007 · · Score: 1

      It doesn't work like that. If what he did is a crime, then the money raised and then given to him is profit as a direct result of that crime. Which isn't allowed.

      --
      If you ignore ACs because they are anonymous - you're an idiot.
    17. Re:Probably pointless by Anonymous Coward · · Score: 0

      The thing about Facebook is that people can tag you, talk about you, comment, post and generate a huge trove of information on your life and who you are regardless of whether or not you have an account.

      Think about it.

    18. Re:Probably pointless by tqk · · Score: 1

      But there is no doubt that he was doing illegal things and he KNEW they were illegal and actively took measures to avoid being identified or caught.

      I'll bet if you watched closely enough, that would describe everybody.

      I don't know anyone that isn't aware that breaking and entering is a crime.

      Breaking and entering, to steal back stuff that was his and was stolen/misappropriated. You go ahead and hire a lawyer and rely on your pathetically flawed legal system. The rest of us have better things to do than futz with entitled morons.

      "The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser people so full of doubts." -- Bertrand Russell

      --
      "Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.
  3. Deserved? by Anonymous Coward · · Score: 1

    I'd be interested in seeing his report, to see if he really did provide enough info or not on the bug. For $12K you ought to take the time to be pretty thorough in providing a reproducible bug report.

    1. Re:Deserved? by ShanghaiBill · · Score: 3, Interesting

      I'd be interested in seeing his report, to see if he really did provide enough info or not on the bug. For $12K you ought to take the time to be pretty thorough in providing a reproducible bug report.

      I would also like to see this. The reports on this are inconsistent. At first I heard that Facebook "ignored him". Now I am hearing that they "asked for additional information" (which he either did or didn't provide - nobody knows?).

      A better way for Facebook to handle this in the future, would be to set up some sandbox "hack me" accounts. Then someone with an exploit can demonstrate it, and ensure they will be taken seriously.

    2. Re:Deserved? by bill_mcgonigle · · Score: 5, Insightful

      I'd be interested in seeing his report, to see if he really did provide enough info or not on the bug.

      See the previous story from a few days ago here. The bug report was complete crap, and barely distinguishable from spam. It was ALSO a legitimate bug that he was reporting AND he inappropriately spammed a third-party's wall with it.

      That said Facebook WRONGLY deactivated his account when he posted on Zuck's wall AND they quickly reinstated it when they found out what was actually going on.

      Assuming they fixed the bug, he ALSO deserves the bug bounty reward.

      There's no good-guy, bad-guy Hollywood story here - it was a bunch of bad communication all around that resulted in a narrative that sold page views. I know, that doesn't make for an emotional after-school special.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    3. Re:Deserved? by Anonymous Coward · · Score: 0

      You can see it in his blog. http://khalil-sh.blogspot.ru/p/facebook_16.html

      Honestly, I've seen number of terrible bug reports in my life but this one is easily in top 3. I would not call him security researcher because that just sounds wrong...

    4. Re:Deserved? by Damathon · · Score: 1

      That said Facebook WRONGLY deactivated his account when he posted on Zuck's wall AND they quickly reinstated it when they found out what was actually going on.

      How is it that they wrongly deactivated his account? He exploited a bug and used it to post on someone else's wall, just like any spammer would have. It's clearly fair to deactivate while investigating further to block him from using the exploit on anyone else.

    5. Re:Deserved? by firex726 · · Score: 1

      Wait, is that really all it was?
      There is no reproduction there, just a one sentence description of what happened.

      Did he expect Facebook to trawl through their server code and logs to figure out for themselves what he did?

    6. Re:Deserved? by tibman · · Score: 1

      The only reason why the bug was exploited was to show the FB team what the bug was. Not only that but get said something like, "I posted in a place i shouldn't be able to and it is a bug that i am reporting". He was cooperating and bringing an issue to FB. Why assume he's a spammer at all?

      --
      http://soylentnews.org/~tibman
    7. Re:Deserved? by tibman · · Score: 1

      I would at least expect them to ask him how he did it. Not just ignore that he was able to do something that should be impossible.

      --
      http://soylentnews.org/~tibman
    8. Re:Deserved? by rsborg · · Score: 1

      A better way for Facebook to handle this in the future, would be to set up some sandbox "hack me" accounts. Then someone with an exploit can demonstrate it, and ensure they will be taken seriously.

      And any publicly available honeypot would need monitoring, espeically if it's running close-to-production codebase, as that will essentially give blackhats the perfect place to demo their exploits.

      --
      Make sure everyone's vote counts: Verified Voting
  4. Great to see there are some whole hearted people by Anonymous Coward · · Score: 0

    Congrats, and Facksh** can go get fuc**d.

    They are so worried about users being hacked and attacked they ignored this bug. And posting it on Mark Fu**rberg, wasn't enough to motivate him to take this "bug bounty" more serious. This isn't a shock, getting hacked on Facebook is a pretty daily occurrence, but if users that have been hacked took there complaints to a blog, or even if some would create a site popular enough for these complaints to be publicly and widely exposed you'll see a quick turn around in how serious they will take the bounty program, and there neglected users....

  5. communication skills by OleMoudi · · Score: 2

    Not trying to play devil's advocate here but any vulnerability researcher must understand that finding flaws is only half of the job. You must also be able to successfully explain and make understand each flaw to even non-technical people or your work is somewhat worthless.

    Now it's true that one can expect a reasonable technical skill from the Facebook person reviewing your bug submissions, but they also, as they stated, go through a lot of invalid and spurious submissions a day.

    So in case you are hoping for a reward, you better make your submission as clear as possible before going mad and go public. Also you should at least retry and send additional details before giving up on them (reports do not mention whether the researcher "repeatedly" tried to explain the vuln to them.

    IMHO the lack of patience from the researcher illustrates he really does not care about making Facebook (or anything) more secure. Only money drives him. This is perfectly acceptable but no quite the image for raising money as if he were a true whitehat.

    --
    ---------
    Thinking never hurt anybody --MacGyver
    1. Re:communication skills by sjwt · · Score: 3

      Bull shit, if you have non-technical people running your bug bounty, then you have lost, they will be paying for things that aren't bugs and ignoring others.

      "If I do X, Y happens, repeatedly. Y should not ever happen"

      You shouldn't have to do more than that to report a bug for a bug bounty program.

      --
      You have 5 Moderator Points!
      Which Helpless Linux zealot/MS basher do you want to mod down today?
    2. Re:communication skills by firex726 · · Score: 1

      Except he did not do that, he just said he found a way to post on other people's timelines.
      There is nothing about the steps he took, or why it might be happening.

      http://khalil-sh.blogspot.ru/p/facebook_16.html

    3. Re:communication skills by TapeCutter · · Score: 1

      Bull shit, if you have non-technical people running your bug bounty....

      C'mon, read his bug report there was no "if this, then that" in his post, when you translate the teenage gibberish into low level techno-babble it basically says "pwned - pay up". I'm no fan of FB but this guy is on an ego trip and wanted to make headlines for himself at FB's expense, a developer I worked with in the 90's used to do a similar thing when printing out code for code reviews, he would hide an innocuous comment somewhere in 100K lines that said something like "This line has been inserted to test the efficacy of code reviews, it was inserted on and should be removed when found". It was huge rigidly managed project worth ~$100M over 5yrs, they reviewed and planned everything to death, yet it was several years and a lot of dead trees before the "test" was eventually passed

      Engineering works because engineers generally work in an atmosphere of good faith between themselves, customer facing engineering processes such as bug reporting are built with that assumption in mind and are easily gamed by trolls. Non-technical people are hired to tackle the fire hose and are only as useful as their on the job training allows them to be, I very much doubt the same people "run the bug bounty". Technical people like me are expensive to hire, to be even remotely competitive any large software house must put a level (or two) of basic filtering between the fire hose of customer "bug" reports and the list of reproducible bugs the expensive technical people are hired to fix.

      Also if the FB PR people are smart enough to call off the cops and pay the bounty, will the 'researcher' (lol) be returning those donations to the punters or passing it on to a real charity? - I for one think the donations are likely to stay in his pocket, maybe I'm being too harsh on the boy and the smucks throwing money at him but his cries of victimisation don't match the evidence at hand. At best he is crying wolf, at worst he is doing a "Zuck" - screwing with other people's livelihood's for fun and profit, and no, two wrongs do not make it all right.

      --
      And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
  6. $12,000 goes a long way in palestine by Anonymous Coward · · Score: 0, Insightful

    Dude is going to have running water and good food for the first time in weeks.

    1. Re:$12,000 goes a long way in palestine by Anonymous Coward · · Score: 1

      No, Hamas is going to have three new surface to air missile launchers.

    2. Re:$12,000 goes a long way in palestine by CanHasDIY · · Score: 1

      No, Mossad/Al Queda is going to plant three new surface to air missile launchers.

      FTFM :)

      --
      An enigma, wrapped in a riddle, shrouded in bacon and cheese
    3. Re:$12,000 goes a long way in palestine by Anonymous Coward · · Score: 0

      No, Mossad/Al Queda/US/UK/Russia/China/your mom/my cat/his goldfish(which was eaten by my cat)/the super intelligent worms in my gut is going to plant three new surface to air missile launchers.

      You're welcome..

  7. Security on Facebook? by Anonymous Coward · · Score: 0

    That's a contradictio ad absurdum.

  8. PR failure by DavidDK · · Score: 5, Insightful

    This must be seen as an absolute failure of Facebook's PR department. As soon as this story hit the tech media, they should have reverted the decision and paid him and excused. This is a serious hit to Facebook's standing as a good workplace. What would you feel as an employee in this situation?

    1. Re:PR failure by doesnothingwell · · Score: 1

      The Zuckerburg has no balls, a real tech company would have tried harder to make this right. As an advertising company Facebook threw a nobody under the buss, phlegm at 11. Facebook should show their true colors and pay off researchers in facepoints or pop star screen savers.

      --
      They can have my command prompt when they pry it from my cold dead fingers.
    2. Re:PR failure by Anonymous Coward · · Score: 0

      Facebook hasn't had good PR for ages. It's only been surviving due to a network effect.

  9. Researcher? by parkinglot777 · · Score: 1, Offtopic

    I am now not sure what the word "researcher" mean? The link for the campaign page mentioned about "independent researchers." However, the summary used the word "one researcher." If I correctly recall from his own blog (Khali), he said he is an "unemployed" which is far from a "researcher." Besides, he happened to stumble on the security issue. This does NOT mean a "research"! This web page is simply to get "attention" from people in the community and should NOT be posted on ./ at all. The campaign owner guy, Marc Maiffret, is tainting real independent researcher's name...

    1. Re:Researcher? by Joining+Yet+Again · · Score: 4, Insightful

      In the real world, a "researcher" is someone who works to rigorous academic standards writing and publishing original scholarship.

      In the "IT security" world, a "researcher" is someone who finds that complex code isn't perfect and thinks himself important for making such a find.

    2. Re:Researcher? by vux984 · · Score: 1

      in the "IT security" world, the average "researcher" is a "hacker", but we aren't allowed to use that word anymore without going to jail, so now everything is under "security researcher" regardless of how professional it is.

      Pretty much like how bloggers have decided to hide out under the 'journalist' umbrella after blogger came to mean 'person with narcissism, brain diarrhea, and the internet'. Now they are watering down the meaning of jouralism, but the word still has some shreds of credibility.

  10. Nice effort, but sets a bad precedent by StandardCell · · Score: 4, Insightful

    Obviously the large corporate machinery at Facebook has caught and chewed up some very nice researcher, and the community once again comes in to right the wrong.

    The problem is, by third parties paying him, it sets a precedent for rewarding Facebook's bad behavior. Make no mistake - the same idiots that refused the payout and who whitewashed it by claiming a ToS violation will be the same ones watching this effort and wondering how much more they can get away with.

    Ultimately, this is bad business practice for Facebook because this strategy will devolve into grey hats and black hats going for the jugular every time, and less white hats trying to do the right thing. Or maybe this just means people will realize on their own what I keep telling them - avoid using Facebook wherever possible. That will, unfortunately, be found out the hard way during the next big publicized data breach.

    1. Re:Nice effort, but sets a bad precedent by Anonymous Coward · · Score: 0

      > The problem is, by third parties paying him, it sets a precedent for rewarding Facebook's bad behavior.

      Quite the opposite. It tells Facebook that next time somebody comes up with an exploit, instead of coming to them, they'll go to third parties first.

    2. Re:Nice effort, but sets a bad precedent by Chrutil · · Score: 1

      The problem is, by third parties paying him, it sets a precedent for rewarding Facebook's bad behavior.

      Nah. Now everybody knows that instead of getting $500 from Facebook telling them about their bugs, they can get $12k from the community by just hacking them directly.

    3. Re:Nice effort, but sets a bad precedent by firex726 · · Score: 1

      Not really...
      If you actually read his report, there is nothing to it ,beyond what is in the title of this summary.

      http://khalil-sh.blogspot.ru/p/facebook_16.html

      The reproduction steps are entirely gone, there is nothing there for a Dev to go in and investigate with.

      --------------

      repro:
      the vulnerability allow's facebook users to share posts to non friends facebook users , i made a post to sarah.goodin timeline and i got success post
      link - > https://www.facebook.com/10151857333098885
      of course you may cant see the link because sarah's timeline friends posts shares only with her friends , you need to be a friend of her to see that post or you can use your own authority .
      this is a picture shows that post :
      https://fbcdn-sphotos-h-a.akamaihd.net/hphotos-ak-ash4/q71/s720x720/999429_10151857336258885_2061448780_n.jpg

      --------------

  11. Zero Day Facebook Attack? by bobstreo · · Score: 1

    Looks like it would be better to just sell to umm someone rather than try report to facebook for $500.

  12. Of the 12,000 by Richy_T · · Score: 1

    How much of that is "Screw you, Facebook" dollars?

    1. Re:Of the 12,000 by Minwee · · Score: 2

      At least 13,000.

    2. Re:Of the 12,000 by ahoffer0 · · Score: 1

      Even $1 of "screw you, Facebook" money must taste indescribably sweet.

  13. I'm jaded on this by GodfatherofSoul · · Score: 2

    One one hand, as he says he could've made a ton of money selling this hack to a spammer and ended up harassing MILLIONS of users. On the other hand, hacking a CEOs account isn't the most diplomatic or responsible way to handle the situation and it sounds like his English is a little rough. If you're a locksmith, staging a break-in probably isn't the best way to get a bank's business.

    --
    I swear to God...I swear to God! That is NOT how you treat your human!
    1. Re:I'm jaded on this by Errol+backfiring · · Score: 1

      If you're a locksmith, staging a break-in probably isn't the best way to get a bank's business.

      Except that this "bank" explicitly says it will reward people who can bypass the lock. I think it is more like " If you're a locksmith, staging a break-in into the director's office probably isn't the best way to get a bank's business."

      --
      Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
    2. Re:I'm jaded on this by mwvdlee · · Score: 1

      Why doesn't facebook set up an account which security researchers ARE allowed to hack.
      They could even monitor the account to get as much information as soon as possible when a hack is reported.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    3. Re:I'm jaded on this by tibit · · Score: 2

      He already hacked someone's account, they didn't care (the "not a bug" reply) - it apparently wasn't a person important enough. They acted like idiots. That's all. Does it take a fucking genius to understand that there is a language barrier and to do the due diligence?

      --
      A successful API design takes a mixture of software design and pedagogy.
    4. Re:I'm jaded on this by DRJlaw · · Score: 1

      On the other hand, hacking a CEOs account isn't the most diplomatic or responsible way to handle the situation and it sounds like his English is a little rough.

      Ok, I'm getting tired of this "hacked Mark Z's account" characterization. It didn't happen.

      This guy posted to a Mark Z's wall. He shouldn't have been able to, but there's no indication that he gained permissions to the account, changed the account settings, or had access to information marked anything other than public in connection with the account. He found a way to send a message to another account -- that's hacking the messaging system, not hacking the user account.

      If you manage to spam an email address through a spam filter, for example by finding a too-obvious whitelisted keyword, I don't think that there would be many people who would claim that the email account had been hacked. Suddenly when you change over to Facebook's wall system, what is essentialy a messaging scenario suddenly becomes a hack of the user account?

      Mark Z received a message that he shouldn't have, and thanks to Facebook oversharing it was probably visible to some other people. Whoop dee doo. Unless the message was posted as Mark Z, this was 'quasi-spam' that correctly made Facebook sit up and finally ask 'how' for the first time, not remotely a hack of the user account.

    5. Re:I'm jaded on this by Anonymous Coward · · Score: 0

      The amount (12 G's) is excessive and it comes from the wrong source. FB owning up to both the original bug and their flawed response to it's report are needed here.

  14. his report: "there is a bug :broken link:" by raymorris · · Score: 5, Insightful

    He posted his "bug report". It was a few words, just saying "there is a bug" with no hint of what bug or what the exploit could possibly be. It then had a broken link to an uninteresting post, a post that was private.

    To my mind, it doesn't even qualify for the complaint department, much less was it anything close to being a proper report of a security issue.

    Further, in response to Facebook comments pointing out that his message was very hard to read due to the pre-school level grammar, spelling, and use of capitals, he said "don caar nver fic red undrlin words" (or something to that effect), so he KNOWS his messages are nearly unreadable and he "don caar". If I get a message where the spelling is completely wrong, the grammar is completely wrong, and the use of capitals is completely wrong, I'd probably suspect that the claim is completely wrong as well.

    1. Re:his report: "there is a bug :broken link:" by tibit · · Score: 1

      The link was not broken, it demonstrated that the bug was indeed there. The Facebook imbeciles didn't follow through with proper administrative access: they had to view the private profile of a third party, you can't just do that without being logged in administrative impersonation mode. I mean, how stupid can one be?

      --
      A successful API design takes a mixture of software design and pedagogy.
    2. Re:his report: "there is a bug :broken link:" by Rich0 · · Score: 3, Insightful

      The point of a bug report is to provide information to allow a flaw to be fixed, not to simply brag about having found a problem.

      This isn't a useful bug report "This page demonstrates that I was able to bypass your security and tamper with one of your pages."

      This is a useful bug report "I was able to bypass your security by sending the following malformed request to your server..."

      Bug bounties are generally only offered for the latter.

    3. Re:his report: "there is a bug :broken link:" by Anonymous Coward · · Score: 0

      Facebook should have disabled his account for murdering the English language.

      Or just replied: "lern 2 rite enlis"

    4. Re:his report: "there is a bug :broken link:" by tibit · · Score: 1

      Man, if they can't get the log for exactly what transpired when they see a messed up entry, they are fucked already.

      --
      A successful API design takes a mixture of software design and pedagogy.
    5. Re:his report: "there is a bug :broken link:" by Rich0 · · Score: 1

      Man, if they can't get the log for exactly what transpired when they see a messed up entry, they are fucked already.

      Maybe they can, but that doesn't mean that they have to pay him for it.

      They're paying for useful bug reports, not giving rewards to people who hack their website.

  15. Glad I don't use Facebook by ikhider · · Score: 4, Insightful

    It is a sophisticated surveillance tool anyway. Also, sort of a part time job you don't get paid for.

    --
    "SO we bide our time, waiting for a purer kick to bloom and the future is still bleak, uncertain and beautiful" -GSYBE
    1. Re:Glad I don't use Facebook by Anonymous Coward · · Score: 1

      Also, sort of a part time job you don't get paid for.

      That's why I prefer slashdot. It's less of a part time job and more of a low-quality contracting thing I do on the side when I'm bored.

    2. Re:Glad I don't use Facebook by Anonymous Coward · · Score: 0

      It's more sophisticated than you think. People can tag you, talk about you, make connections, and all sorts of stuff without you even having an account.

      If you know anyone on Facebook then you're "in the system" so to speak.

  16. Spend the money well by mwvdlee · · Score: 1

    I hope they take part of that money and set it up as a reward for publically disclosing Facebook vulnerabilities online.
    That way those security researchers can still get some kind of a reward if Facebook doesn't take them seriously.
    And, more importantly, Facebook will be forced to take them more seriously in the future.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  17. that 12K should cover at least some of the court c by Joe_Dragon · · Score: 1

    that 12K should cover at least some of the court costs and fees.

  18. Not sure how it's a crime? by MikeRT · · Score: 1

    He "exceeded his access privileges" or whatever the language used in the CFAA is. The CFAA is so loose that I would surprised if he didn't violate it somehow in doing this.

    And you know what, you morons who modded me flamebait, I don't think it should be considered a legal issue. However it probably is a violation of the CFAA and courts tend to look very favorably on taking away any funds that appear to be proceeds related to a crime. Heck, prisoners are often blocked from selling media rights to their stories so they cannot profit.

    1. Re:Not sure how it's a crime? by Anonymous Coward · · Score: 0

      Well, good thing this guy isn't American, nor lives in America.

      Ask the average Palestinian their sentiments towards America.

  19. Chosen People by ThatsNotPudding · · Score: 1, Insightful

    Had Mr. Shreateh not been Palestinian, I'm forced to wonder if Mr. Facebook's reaction would have been different.

    1. Re:Chosen People by Anonymous Coward · · Score: 0

      Yeah right. Having brown skin in a white country, I'm subjected to racism and profiling regularly, but I have enough sense to not attribute every incident to racism. Sometimes it's just a misunderstanding, someone having a bad day, or a simple miscommunication. This case is the latter, miscommunication, NOT racism.

      However YOU are being racist by trying to attribute this incident to racism when there's zero indication of it. You're just as bad as the border guards in UK who detained Miranda under the terrorism act when there was no indication that Miranda or Greenwald have had any dealings with terrorists.

    2. Re:Chosen People by gnasher719 · · Score: 1

      Had Mr. Shreateh not been Palestinian, I'm forced to wonder if Mr. Facebook's reaction would have been different.

      The bug report that he sent them was totally useless and not worth a penny. I suppose "close friend of Zukerberg" would have helped getting paid, but "white male American" wouldn't.

  20. Re:Great to see there are some whole hearted peopl by firex726 · · Score: 1

    The bug report can be found on the reporters blog:

    http://khalil-sh.blogspot.ru/p/facebook_16.html

    It's actually pretty shitty and does not even explain anything. Facebook had nothing to go off of except a basic description. The summary of this article has more detail than the reporter provided to Facebook.

  21. Tell me where to shoot by Anonymous Coward · · Score: 0

    Except that this "bank" explicitly says it will reward people who can bypass the lock. I think it is more like " If you're a locksmith, staging a break-in into the director's office probably isn't the best way to get a bank's business."

    Except that facebook doesn't have a designated "safe" target. Pardon the pun. XD

  22. Is bad enough by Anonymous Coward · · Score: 0

    Hearing an average Americans sentiments towards America. I cannot imaging the vitriol that would come from someone in that part of the world.

  23. "Without Authorization" by bad-badtz-maru · · Score: 3, Informative

    This has been true since the late 80s, see the Computer Fraud and Abuse Act.

  24. Re:Great to see there are some whole hearted peopl by gnasher719 · · Score: 1

    Thanks for that link.

    Facebook isn't going to pay money if someone tells them there's a bug. They know there are plenty of bugs. They are going to pay if you give them information that helps them fixing a bug, and what he posted didn't help them in any way.

  25. broken for anyone but admin, demonstrated nothing by raymorris · · Score: 2

    Yes, a system admin could use administrative powers to log in as the target user and would have seen a random youtube video posted on somebody's wall. Which demonstrates nothing without an explanation of what it's supposed to demonstrate.

    To the helldesk graduate reading his message, and to anyone else, it was a broken link - an error saying "no such page".

    The Facebook rep should have asked for further information - and that's exactly what they did.

  26. Slashdot ate my post... by TapeCutter · · Score: 1

    ....it was inserted on $Date and should....

    --
    And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
  27. Privacy Invader by Anonymous Coward · · Score: 0

    Basically, Facebook already knows about these type of "bugs", people should NOT be using Facebook.