Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Community Raises $12k For Researcher Snubbed By Facebook

Posted by Soulskill on from the pay-the-man dept.

Trailrunner7 writes "Like most major Web and software companies, Facebook receives a lot of bug reports. And since the company started its bug bounty program, security researchers have become even more interested in looking for vulnerabilities in the Facebook ecosystem. But, as one researcher learned recently, not all bugs are created equal, and Facebook doesn't like people messing with its users – or its executives. That researcher, Khalil Shreateh, discovered a bug in the Facebook platform that enabled him – or any other user – to post comments on the walls of other users who aren't their friends. That shouldn't be possible under normal circumstances, so Shreateh reported the problem to Facebook through its bug bounty program, hoping to earn a reward from the company. Instead, the company told him he didn't provide enough information. So Shreateh went a step further and demonstrated the technique by posting a message to the wall of Facebook founder Mark Zuckerberg. On Aug. 19, after details of the incident became public, Marc Maiffret, a well-known security researcher and CTO of BeyondTrust, started a crowdfunding campaign to get Shreateh a reward for his work. As of Aug. 23, that campaign has raised more than $12,000 and Maiffret is in the process of transferring the funds to the researcher."

6 of 95 comments (clear)

  1. Zuck, pay up by Anonymous Coward · · Score: 5, Insightful

    nothing more to say

    1. Re:Zuck, pay up by ackthpt · · Score: 5, Funny

      nothing more to say

      Zuck doesn't like to pay up, ask any Winklevoss you meet, they'll tell ya.

      --

      A feeling of having made the same mistake before: Deja Foobar
  2. PR failure by DavidDK · · Score: 5, Insightful

    This must be seen as an absolute failure of Facebook's PR department. As soon as this story hit the tech media, they should have reverted the decision and paid him and excused. This is a serious hit to Facebook's standing as a good workplace. What would you feel as an employee in this situation?

  3. Re:Deserved? by bill_mcgonigle · · Score: 5, Insightful

    I'd be interested in seeing his report, to see if he really did provide enough info or not on the bug.

    See the previous story from a few days ago here. The bug report was complete crap, and barely distinguishable from spam. It was ALSO a legitimate bug that he was reporting AND he inappropriately spammed a third-party's wall with it.

    That said Facebook WRONGLY deactivated his account when he posted on Zuck's wall AND they quickly reinstated it when they found out what was actually going on.

    Assuming they fixed the bug, he ALSO deserves the bug bounty reward.

    There's no good-guy, bad-guy Hollywood story here - it was a bunch of bad communication all around that resulted in a narrative that sold page views. I know, that doesn't make for an emotional after-school special.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  4. Re:Probably pointless by Anonymous Coward · · Score: 5, Informative

    Technically he was arrested for breaking and entering, as he had to gain physical access to networking equipment to download JSTOR's documents in bulk.

    He was later charged with wire fraud and computer fraud. He didn't just try to download stuff, he actively worked around being blocked when they detected him... over a period of several weeks. He would get blocked and then modify his MAC to get a new IP and start again. He bought a throw away computer and named it Gary Host (GHOST). They eventually blocked entire chunks of the MIT network to stop him... thus he resorted to directly accessing some networking equipment in a restricted area and was filmed doing so while trying to hide his face.

    What he did is wrong. Read the indictment.

    Of course, the overreaction of charges and potential sentences were also wrong. But there is no doubt that he was doing illegal things and he KNEW they were illegal and actively took measures to avoid being identified or caught.

  5. his report: "there is a bug :broken link:" by raymorris · · Score: 5, Insightful

    He posted his "bug report". It was a few words, just saying "there is a bug" with no hint of what bug or what the exploit could possibly be. It then had a broken link to an uninteresting post, a post that was private.

    To my mind, it doesn't even qualify for the complaint department, much less was it anything close to being a proper report of a security issue.

    Further, in response to Facebook comments pointing out that his message was very hard to read due to the pre-school level grammar, spelling, and use of capitals, he said "don caar nver fic red undrlin words" (or something to that effect), so he KNOWS his messages are nearly unreadable and he "don caar". If I get a message where the spelling is completely wrong, the grammar is completely wrong, and the use of capitals is completely wrong, I'd probably suspect that the claim is completely wrong as well.