Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Community Raises $12k For Researcher Snubbed By Facebook

Posted by Soulskill on from the pay-the-man dept.

Trailrunner7 writes "Like most major Web and software companies, Facebook receives a lot of bug reports. And since the company started its bug bounty program, security researchers have become even more interested in looking for vulnerabilities in the Facebook ecosystem. But, as one researcher learned recently, not all bugs are created equal, and Facebook doesn't like people messing with its users – or its executives. That researcher, Khalil Shreateh, discovered a bug in the Facebook platform that enabled him – or any other user – to post comments on the walls of other users who aren't their friends. That shouldn't be possible under normal circumstances, so Shreateh reported the problem to Facebook through its bug bounty program, hoping to earn a reward from the company. Instead, the company told him he didn't provide enough information. So Shreateh went a step further and demonstrated the technique by posting a message to the wall of Facebook founder Mark Zuckerberg. On Aug. 19, after details of the incident became public, Marc Maiffret, a well-known security researcher and CTO of BeyondTrust, started a crowdfunding campaign to get Shreateh a reward for his work. As of Aug. 23, that campaign has raised more than $12,000 and Maiffret is in the process of transferring the funds to the researcher."

23 of 95 comments (clear)

  1. Zuck, pay up by Anonymous Coward · · Score: 5, Insightful

    nothing more to say

    1. Re:Zuck, pay up by ackthpt · · Score: 5, Funny

      nothing more to say

      Zuck doesn't like to pay up, ask any Winklevoss you meet, they'll tell ya.

      --

      A feeling of having made the same mistake before: Deja Foobar
    2. Re:Zuck, pay up by LifesABeach · · Score: 3, Funny

      Actually, $500 just became $12,000; I think maybe the little zuck could own up? Or maybe deFacedBook doesn't have the capitol?

  2. Probably pointless by MikeRT · · Score: 3, Insightful

    And when it reaches a certain level, Facebook may swoop in with their lawyers and claim that it can block him receiving them back it's money earned from a technically criminal act.

    1. Re:Probably pointless by vivaoporto · · Score: 4, Informative

      Violating JSTOR's terms of service landed Aaron Swartz in a world of trouble, seems like it's enough to get you a dozen of felony indictments nowadays

    2. Re:Probably pointless by Anonymous Coward · · Score: 5, Informative

      Technically he was arrested for breaking and entering, as he had to gain physical access to networking equipment to download JSTOR's documents in bulk.

      He was later charged with wire fraud and computer fraud. He didn't just try to download stuff, he actively worked around being blocked when they detected him... over a period of several weeks. He would get blocked and then modify his MAC to get a new IP and start again. He bought a throw away computer and named it Gary Host (GHOST). They eventually blocked entire chunks of the MIT network to stop him... thus he resorted to directly accessing some networking equipment in a restricted area and was filmed doing so while trying to hide his face.

      What he did is wrong. Read the indictment.

      Of course, the overreaction of charges and potential sentences were also wrong. But there is no doubt that he was doing illegal things and he KNEW they were illegal and actively took measures to avoid being identified or caught.

    3. Re:Probably pointless by interval1066 · · Score: 4, Insightful

      He didn't steal the money, nor did he use the bug to get it. It will be a gift from an unconnected 3rd party. Not too sure how this will be a criminal act. Even if they could do it, the only way they could block it is via lawsuit. Unless Facecook has also become a an arm of law enforcement.

      On a more cogent point; you'd think the hip geeks at facebook would have heard of the Streisand Effect, demonstrated over and over again in these cases.

      My girlfriend keeps asking me why I don't apply at facebook,

      --
      Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
    4. Re:Probably pointless by fahrbot-bot · · Score: 2

      Of course, the overreaction of charges and potential sentences were also wrong. But there is no doubt that he was doing illegal things and he KNEW they were illegal and actively took measures to avoid being identified or caught.

      You know, way (way) back when I was in college, there was a really bright student who could circumvent the all local security measures. The CS department simply offered him a job - and he accepted (to the mutual benefit of the student and department).

      --
      It must have been something you assimilated. . . .
  3. communication skills by OleMoudi · · Score: 2

    Not trying to play devil's advocate here but any vulnerability researcher must understand that finding flaws is only half of the job. You must also be able to successfully explain and make understand each flaw to even non-technical people or your work is somewhat worthless.

    Now it's true that one can expect a reasonable technical skill from the Facebook person reviewing your bug submissions, but they also, as they stated, go through a lot of invalid and spurious submissions a day.

    So in case you are hoping for a reward, you better make your submission as clear as possible before going mad and go public. Also you should at least retry and send additional details before giving up on them (reports do not mention whether the researcher "repeatedly" tried to explain the vuln to them.

    IMHO the lack of patience from the researcher illustrates he really does not care about making Facebook (or anything) more secure. Only money drives him. This is perfectly acceptable but no quite the image for raising money as if he were a true whitehat.

    --
    ---------
    Thinking never hurt anybody --MacGyver
    1. Re:communication skills by sjwt · · Score: 3

      Bull shit, if you have non-technical people running your bug bounty, then you have lost, they will be paying for things that aren't bugs and ignoring others.

      "If I do X, Y happens, repeatedly. Y should not ever happen"

      You shouldn't have to do more than that to report a bug for a bug bounty program.

      --
      You have 5 Moderator Points!
      Which Helpless Linux zealot/MS basher do you want to mod down today?
  4. PR failure by DavidDK · · Score: 5, Insightful

    This must be seen as an absolute failure of Facebook's PR department. As soon as this story hit the tech media, they should have reverted the decision and paid him and excused. This is a serious hit to Facebook's standing as a good workplace. What would you feel as an employee in this situation?

  5. Re:Deserved? by ShanghaiBill · · Score: 3, Interesting

    I'd be interested in seeing his report, to see if he really did provide enough info or not on the bug. For $12K you ought to take the time to be pretty thorough in providing a reproducible bug report.

    I would also like to see this. The reports on this are inconsistent. At first I heard that Facebook "ignored him". Now I am hearing that they "asked for additional information" (which he either did or didn't provide - nobody knows?).

    A better way for Facebook to handle this in the future, would be to set up some sandbox "hack me" accounts. Then someone with an exploit can demonstrate it, and ensure they will be taken seriously.

  6. Nice effort, but sets a bad precedent by StandardCell · · Score: 4, Insightful

    Obviously the large corporate machinery at Facebook has caught and chewed up some very nice researcher, and the community once again comes in to right the wrong.

    The problem is, by third parties paying him, it sets a precedent for rewarding Facebook's bad behavior. Make no mistake - the same idiots that refused the payout and who whitewashed it by claiming a ToS violation will be the same ones watching this effort and wondering how much more they can get away with.

    Ultimately, this is bad business practice for Facebook because this strategy will devolve into grey hats and black hats going for the jugular every time, and less white hats trying to do the right thing. Or maybe this just means people will realize on their own what I keep telling them - avoid using Facebook wherever possible. That will, unfortunately, be found out the hard way during the next big publicized data breach.

  7. Re:Deserved? by bill_mcgonigle · · Score: 5, Insightful

    I'd be interested in seeing his report, to see if he really did provide enough info or not on the bug.

    See the previous story from a few days ago here. The bug report was complete crap, and barely distinguishable from spam. It was ALSO a legitimate bug that he was reporting AND he inappropriately spammed a third-party's wall with it.

    That said Facebook WRONGLY deactivated his account when he posted on Zuck's wall AND they quickly reinstated it when they found out what was actually going on.

    Assuming they fixed the bug, he ALSO deserves the bug bounty reward.

    There's no good-guy, bad-guy Hollywood story here - it was a bunch of bad communication all around that resulted in a narrative that sold page views. I know, that doesn't make for an emotional after-school special.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  8. Re:Researcher? by Joining+Yet+Again · · Score: 4, Insightful

    In the real world, a "researcher" is someone who works to rigorous academic standards writing and publishing original scholarship.

    In the "IT security" world, a "researcher" is someone who finds that complex code isn't perfect and thinks himself important for making such a find.

  9. I'm jaded on this by GodfatherofSoul · · Score: 2

    One one hand, as he says he could've made a ton of money selling this hack to a spammer and ended up harassing MILLIONS of users. On the other hand, hacking a CEOs account isn't the most diplomatic or responsible way to handle the situation and it sounds like his English is a little rough. If you're a locksmith, staging a break-in probably isn't the best way to get a bank's business.

    --
    I swear to God...I swear to God! That is NOT how you treat your human!
    1. Re:I'm jaded on this by tibit · · Score: 2

      He already hacked someone's account, they didn't care (the "not a bug" reply) - it apparently wasn't a person important enough. They acted like idiots. That's all. Does it take a fucking genius to understand that there is a language barrier and to do the due diligence?

      --
      A successful API design takes a mixture of software design and pedagogy.
  10. Re:Of the 12,000 by Minwee · · Score: 2

    At least 13,000.

  11. his report: "there is a bug :broken link:" by raymorris · · Score: 5, Insightful

    He posted his "bug report". It was a few words, just saying "there is a bug" with no hint of what bug or what the exploit could possibly be. It then had a broken link to an uninteresting post, a post that was private.

    To my mind, it doesn't even qualify for the complaint department, much less was it anything close to being a proper report of a security issue.

    Further, in response to Facebook comments pointing out that his message was very hard to read due to the pre-school level grammar, spelling, and use of capitals, he said "don caar nver fic red undrlin words" (or something to that effect), so he KNOWS his messages are nearly unreadable and he "don caar". If I get a message where the spelling is completely wrong, the grammar is completely wrong, and the use of capitals is completely wrong, I'd probably suspect that the claim is completely wrong as well.

    1. Re:his report: "there is a bug :broken link:" by Rich0 · · Score: 3, Insightful

      The point of a bug report is to provide information to allow a flaw to be fixed, not to simply brag about having found a problem.

      This isn't a useful bug report "This page demonstrates that I was able to bypass your security and tamper with one of your pages."

      This is a useful bug report "I was able to bypass your security by sending the following malformed request to your server..."

      Bug bounties are generally only offered for the latter.

  12. Glad I don't use Facebook by ikhider · · Score: 4, Insightful

    It is a sophisticated surveillance tool anyway. Also, sort of a part time job you don't get paid for.

    --
    "SO we bide our time, waiting for a purer kick to bloom and the future is still bleak, uncertain and beautiful" -GSYBE
  13. "Without Authorization" by bad-badtz-maru · · Score: 3, Informative

    This has been true since the late 80s, see the Computer Fraud and Abuse Act.

  14. broken for anyone but admin, demonstrated nothing by raymorris · · Score: 2

    Yes, a system admin could use administrative powers to log in as the target user and would have seen a random youtube video posted on somebody's wall. Which demonstrates nothing without an explanation of what it's supposed to demonstrate.

    To the helldesk graduate reading his message, and to anyone else, it was a broken link - an error saying "no such page".

    The Facebook rep should have asked for further information - and that's exactly what they did.