Facebook Intern Gets Preemptive Ax For Exposing Security Flaw

Engadget reports that Harvard student Aran Khanna, who was about to begin an internship at Facebook, had that internship yanked after he created (and took down, but evidently too slowly for the company's taste) a browser plug-in that exposed a security flaw in Facebook, by allowing users to discover the location of other users when they use the Messenger app. Surely Khanna won't be jobless or internship-less for long. (Don't expect the app to work now; it's still in the Chrome store as a historical artifact, though, and at GitHub.)

What did you expect to happen?

[OverlordQ]

So you're trying to get a job at a company and instead of reporting to them a security flaw, you create a Chrome extension to let anybody (ab)use it.

If you're expecting to NOT get fired, you're an idiot.

Re:What did you expect to happen?

[alvinrod]

Sounds like a classic case of a brilliant engineer/programmer simply lacking in common sense, perhaps in this instance due to being young more than anything.

Re:What did you expect to happen?

Better than that, the app is still up, it was never even removed - he only removed one version of it:

https://chrome.google.com/webs...

Re:What did you expect to happen?

[buchner.johannes]

It is not really a security flaw, it is a choice of design, and the extension showed what the consequences are -- namely that you can find out the habits and travels of a person, remotely.
This is similar to the mobile phone metadata, from which you can learn everything* about a person

Netherlands: https://www.bof.nl/2014/07/30/...
Germany: http://www.businessinsider.com...

*You put in some assumptions too, and being very confident about the conclusions of that person may have low validity, but that hasn't stopped the NSA.

Re:What did you expect to happen?

[mwvdlee]

How obvious was is that it was indeed a flaw, and not just some "hidden" feature exposed through the publically distributed HTML and javascript?

Re:What did you expect to happen?

[fuzzyfuzzyfungus]

That just makes it worse: telling someone that they made a mistake pisses them off; but telling someone that the consequences of the action they deliberately undertook suck is just unforgivable.

Re:What did you expect to happen?

I strongly suspect that you're a hateful, paranoid person.

Re:What did you expect to happen?

[demachina]

Of course it might be an intentional backdoor to allow NSA, DHS, FBI, law enforcement to track persons of interest so you can be SURE facebook would be upset that it was made public as would the three letter Federal agencies using it.

Re:What did you expect to happen?

You have probably met 0-5 Ivy League students, ever. The rest you saw on "The Social Network".

Re:What did you expect to happen?

[Falconnan]

Well, first, yeah, Harvard is a big deal. Graduating from there is not by itself proof of talent, but it is suggestive. Many hiring managers give school of origin too much weight, but Ivy League educations are pretty good. I get the feeling you have been on the wrong side of such things at least once. Suck it up, many of us have.

Secondly the presumption that the destination for this person is "Wall Street" I will accept as generic hyperbole and not just an assumption on your part. Because really?

Finally, the publicity stunt is a possibility. Without a solid timeline one cannot tell for sure. On the other hand, waiting until "hours before his flight" is a douche move on Facebook's part.

Re:What did you expect to happen?

[marcansoft]

It *wasn't* a flaw. He didn't write an exploit, nor is this a security vulnerability. He just wrote a scraper for location metadata that was already there and was intended to be there. There is no vulnerability, just a demonstration of the extent of the data that is already normally, deliberately available. The only mention of "security" is in the Slashdot summary, which is garbage, as usual. The only thing the extension does is take location data that you can already see and plot it on a map.

Re:What did you expect to happen?

[westlake]

So you're trying to get a job at a company and instead of reporting to them a security flaw, you create a Chrome extension to let anybody abuse it
If you're expecting to NOT get fired, you're an idiot.

Better still is this bit of idiocy from the poster:

Surely Khanna won't be jobless or internship-less for long.

The geek lives in this fantasy world where you can be fired for cause for a security breach at a Fortune 500 company and still remain employable.

Re:What did you expect to happen?

[mattack2]

The geek lives in this fantasy world where you can be fired for cause for a security breach at a Fortune 500 company and still remain employable.

I actually agree with you in general, but a single data point to the contrary.

(info from Wikipedia). Kevin Mitnick went to jail for 5 years, and currently:
He does security consulting for Fortune 500 companies, performs penetration testing services for the world's largest companies and teaches...

Re:What did you expect to happen?

[ultranova]

The geek lives in this fantasy world where you can be fired for cause for a security breach at a Fortune 500 company and still remain employable.

...Why wouldn't you? Companies take risks all the time. To them, you're merely an investment who can pay off richly or blow up in their faces, just like any other. And frankly, adding one more leak to a sieve isn't much of a crime.

Re:What did you expect to happen?

[davester666]

Of course, it's both.

Re:What did you expect to happen?

[shutdown+-p+now]

What makes you believe he didn't go to his manager with that extension and showed what it does first, and tried to explain why it's a problem?

This being Facebook, though, I expect that they simply laughed him out of the room with, "privacy? who the fuck cares about privacy?". And so he published it to show who cares.

Re:What did you expect to happen?

[guruevi]

Are you sure it was a flaw or was it more of an 'undocumented feature'. Because in the end, this is Facebook we're talking about.

Re:What did you expect to happen?

[RockDoctor]

Which part of

who was about to begin an internship

did you misunderstand?

Anyway, it's not a job if there's no pay packet - which is what I understand by "internship" instead of "job".

OK, it's not the best of ways to start your relationship with a company, but part of the induction process at the start of employment (oh, sorry, it's an internship, not an employment) is informing the employee (internee) of their employment rights (not an American concept, I know), the procedures for grievances, their obligations (including security, working hours (another un-American concept), and who they report to and are responsible to) etc etc. Oh, and where the fire exits are and that there's a fire drill on Wednesday mornings.

Missing ')'

Can someone close that parenthesis? It's driving the LISP part of my noggin nutty.

Re:Missing ')'

[BronsCon]

Moo?

Re:Missing ')'

[supton]

Many posters and most commenters on /. are finite state machines. They can't grok things that are not regular languages.

Google should give him an internship

[jkrise]

And make him find more exploits and publish them. But too late for GooglePlus that's doomed now.

Re:What?!

Did you read the article? It wasn't an exploit. It was a feature working as intended.

Re:What?!

[zoffdino]

Yes you are talented. Yes you helped us find a security flaw. But you are too stupid and irresponsible to publish it on the Chrome store. The right way to impress your future employer is to demonstrate it to them, privately.

Can I get a job with Secret Service by penetrating them to approach within 10 feet of Obama?

Clearly a "flaw" they wanted to protect

[smoothnorman]

Some (inspired) companies provide rewards for discovering flaws in their products; allowing them to improve them under controlled circumstances. Some (shorted-sighted) companies punish the discovery of product flaws, preferring the illusion of a pristine public image over the security of their clients. Yet this is clearly a third case: that of it being an intentional "flaw" which was intended to provide revenue. So, if there was such a thing as justice at this level (there isn't) then Facebook should be doubly embarrassed.

Re:Clearly a "flaw" they wanted to protect

[dmomo]

Please tell me which companies reward their engineers for publishing security flaws.. and how could that be considered a controlled circumstance...
If by "clearly", you mean "very unlikely", then surely you are correct.

Re:Clearly a "flaw" they wanted to protect

[smoothnorman]

(something tells me lacking all manner of references and affidavits this will be a fool's errand, but...)

Fluke and Tektronix for two. and I know one Boeing engineer who got a raise when he pointed out a major "flaw" in one of their QC servers. "controlled circumstance" in that it's an in-house discovery with no screaming clients demanding a fix yesterday (cf "zero-day")

Re:Clearly a "flaw" they wanted to protect

[mattack2]

Some (inspired) companies provide rewards for discovering flaws in their products; allowing them to improve them under controlled circumstances.

But this wasn't "controlled circumstances". This was someone releasing a product that used that flaw/design decision (as others have called it) in a way that the company didn't intend, and in a way that apparently the company didn't like.

If they had reported it *directly* to the company, especially after starting the internship, maybe they would have been rewarded for it (with a job in the future).

Thou shalt not embarrass thy corporate masters...

[gweihir]

While this is more due to limitations in said masters and their organizations, it is nonetheless a very important rule. If you must do it, then do it privately. If you need not, then do not do it.

Re:Syntax error

[timothy]

Sorry! Peeve mitigated now ...

dear clueless megacorp and mediocre middle mgmnt:

[circletimessquare]

here are your choices:

1. employee or white hat or grey hat comes to you with an exploit. you reward him for the discovery, you squash the exploit. the media paints you in a good light. more white hats and employees are eager to come forward with exploits they find. your userbase is happy with the quick resolution, transparency, and eagerness to protect

2. employee or white hate or grey hat comes to you with an exploit. you fire him, sue him, ignore him, censor him. maybe you don't squash the exploit, you think you can just hide it. of course, the media gets wind anyways and paints you as a moron who thinks you can sweep it under the rug or an idiot in denial for your "no comment" when asked about the exploit. white hats and employees are discouraged and hide exploits or, turn into grey hats and black hats and sell your exploit underground or use them for nefarious purposes themselves. you don't find about it until much later as no one wants to talk to you after the reception you've demonstrated. you are hacked, your userbase grows angry and shrinks, your third quarter profit takes a hit, the guys in the corner office call you in and ask you to account for the problems

those are choices middle management morons. proceed accordingly

oh, the guy wrote an app instead of coming to you immediately?

gee, how horrible

hide your blind shortsighted anger, paint on a fake smile, and give him a reward

because that's what is in your best interests you fucking pinhead! you WANT these guys to come to you, so you NEVER show any negativity to anyone who has shown how YOU have failed by discovering the exploit. the original shame, the original failure is YOUR EXPLOIT

it's not a parent-child situation and the kid crashed the family SUV. it's about you failing to provide airtight security with your product and you showing the world that you are welcoming to all friends and foes who would only come to you and tell you what you did wrong to allow the exploit. understand? you failed first, by allowing the exploit to exist

oh, all complicated software has exploits? true. so you're really eager to plug those holes any way you can, right? you're really glad someone found one for you, right? prove it, by rewarding those who find the holes

either the exploits go underground when you storm around like a prima donna when someone finds a hole, or you show how eager you are in due modesty that anyone come forward with an exploit for you to squash, with thanks and kudos

now figure the fuck out what is best for you and your company's bottom line, and don't be such a mediocre empty suit

Re:What?!

[N1AK]

Can I get a job with Secret Service by penetrating them to approach within 10 feet of Obama?

Maybe, but what this guy did was the equivalent to putting out a method for getting past the secret service and near to the president on the internet for anyone to see which is far worse.

Hmmm

[sociocapitalist]

Wondering what percentage of /.ers is trying to track their (imaginary)girlfriend/wife/goat with this right now...

You people are idiots

It was published THREE YEARS ago by CNet and others. What the fuck was he supposed to disclose exactly? I'm sick and tired of people not doing the minimal amount of reading necessary to avoid rail roading a privacy researcher with a priori judgments.

Also it's not a security flaw, its a feature: they push this data to your box. All he did was write some JavaScript to display it on a map.

From Facebook's official statement:

"KHAAAAAAAAAAAAAAAAAANNA!"

Doesn't the app already do that?

[wardrich86]

I thought the FB mobile app already gave you the ability to click on messenger-based messages to see where they came from? How is this a flaw?

Re:Doesn't the app already do that?

[Last+Warrior]

It's not a flaw of architecture or implementation. They implemented it this way on purpose. Its a flaw because they either didn't see or envision someone using the data they provided in a way that they thought made them look bad. And it does. He also brought to light to the world that this information was freely available with their implementation when they would have rather kept that a secret to the general public. Because of the public starts to realize how much of their information is available to others and how other can manipulate and use their data without their consent, the less and less they are going to be happy with that. That information should not be provided at all if they care about their users privacy as they are saying that they do. But that is all baloney. This is their business model.

It's facebook's privacy through obscurity policy. What the user DOESNT know we are taking from them or how it can be used will not make the user unhappy.

Re:dear clueless megacorp and mediocre middle mgmn

[RatherBeAnonymous]

The curios part about this is that this privacy leakage flaw has been know since 2012 and was reported in the media. Facebook didn't care.

Aran Khanna MADE Facebook care. I don't know if he was trolling Facebook or if he is just naive. Either way, I applaud his results.

Re:Syntax error

[BronsCon]

You... edited?

Re:What did you expect to happen? (Counterpoint)

[willworkforbeer]

I disagree.. this "idiot" cleverly parlayed an unpaid internship 'firing' into fame and notoriety to get noticed and then hired by a security company; you can't buy this much press even on a Harvard tuition budget. He had a bigger plan all along, and will be hired by a firm in the area of his interest.

Such a firm will be smart to do so. And they will not fail to capitalize on this new hire... they will highlight that one of their employees, [begin bio and / or press release] "...recently made international news by demonstrating a critical security / privacy flaw in FaceBook's messenger application, a flaw that potentially affected hundreds of millions of unsuspecting at-risk FB users".

wall street is boring to lots of ivy students

[peter303]

Plenty of use want to create new wonderful things or improve the world. Shuffling other peoples mony around is boring despite the good pay.

Stop using Facebook - it's not that hard!

Stop using Facebook - it's not that hard!

Re:dear clueless megacorp and mediocre middle mgmn

[phantomfive]

Consider it another way.....his life will now be measurably improved by working for a company besides Facebook.

Re:dear clueless megacorp and mediocre middle mgmn

[circletimessquare]

well said

Re:FTFY

[phantomfive]

Too bad that is not what happened. The following is a much closer description. A recent hire who has yet to start work publishes an implementation of an exploit so that anyone can use it

This is wrong, you're buying into the Facebook propaganda. This is a feature that Facebook created on purpose, several years ago. The information leakage was publicly known.

All this guy did was write an app that made the information easier for an average person to see. He didn't need to write an exploit, the information was given to everyone who asked, as a feature.

Re:FTFY

[circletimessquare]

the exploit was known since 2012

the point isn't the kid's behavior, the point is his employer's bad behavior

"well the guy was smoking pot when he was aiding the stranded motorist, so the police had to kill him"

that's not an analogy of the same magnitude, but it's an analogy of the same failure of logic: that some minor faux pas, even when committed while doing society a benefit, justifies authority overreacting and committing a far worse error

no, it doesn't

you fail

try again

Re:FTFY

[circletimessquare]

so why did they fire him for it?

Re:FTFY

[phantomfive]

They fired him because, according to this news site:

“This mapping tool scraped Facebook data in a way that violated our terms, and those terms exist to protect people’s privacy and safety,” Steinfeld [a Facebook spokesperson] told Boston.com. “Despite being asked repeatedly to remove the code, the creator of this tool left it up. This is wrong and it’s inconsistent with how we think about serving our community.”

Re:FTFY

[circletimessquare]

All this guy did was write an app that made the information easier for an average person to see. He didn't need to write an exploit, the information was given to everyone who asked, as a feature.

and...

“This mapping tool scraped Facebook data in a way that violated our terms, and those terms exist to protect people’s privacy and safety”

the information is public, or it isn't

figure it out!

(not you phantomfive, facebook)

Re:FTFY

[Spamalope]

so why did they fire him for it?

He made it easier for FB outsiders to get the information without paying.

He made the sheep more aware of the sheering.

Re:FTFY

[circletimessquare]

yup, well said

Re:FTFY

[ultranova]

the information is public, or it isn't

The data was public, the information wasn't. That is, there was a barrier, an effort required to turn data points into a form convenient for some purpose, in this case tracking a person's movements. This tool removed that barrier, making the information public.

This distinction is becoming extremely important as computing power continues to grow and AI advances. Facial recognition, for example, makes security cameras a far greater risk to freedom than they were previously. The kind of mass surveillance we nowadays conduct wasn't physically possible before. Data mining will only continue to grow. The genie is not going back to the bottle, so we must decide how to deal with it. And since it's not possible in the general case to know all the conclusions that can be drawn from a given set of data, especially when combined with other data, blaming it all on the releaser of the data puts people into impossible situation.

Re:FTFY

[circletimessquare]

The data was public, the information wasn't.

yeah, so i stopped reading there

think about, and get back to me

it's either public or it isn't

if he took something private and made it public, i might agree with you

if the information was already available publicly, the intern did nothing wrong at all. and rather than punishing a lowly intern, facebook should be apologizing to its users, and this intern deserves a reward for showing how facebook fucked up. he is doing a service to us, no matter how fucked up facebook's attitude is to a problem of it's own fucking creation

Re:Outrageous

[mydn]

This is very relevant to Slashdot's audience. I mean, any of us could be fired at any time! Maybe I should go check out Dice...

Re:What did you expect to happen? (Counterpoint)

[ThatsMyNick]

Unpaid internships are illegal in California (with the exception of certain types of non-profits). The Sillicon Valley companies only offer paid internships. I am pretty sure facebook pays their interns very well (they need an incentive to join facebook once they graduate)

Re:FTFY

[Dragonslicer]

“...those terms exist to protect people’s privacy and safety,”

So Facebook thinks that it's okay for a Terms of Use page to be the only thing protecting people's privacy and safety?

Re:What did you expect to happen? (Counterpoint)

http://www.glassdoor.com/Inter...

Re:FTFY

[phantomfive]

I think it's not unreasonable to conclude that Facebook doesn't care about privacy, and to some degree, safety either.

Re:What did you expect to happen? (Counterpoint)

[willworkforbeer]

Let's assume the temporary internship pays money. Then I would stand by my general point and amend the comment to say, "...he parlayed a temp job that he clearly did not want (based on his public actions against FB) into millions of dollars worth of PR toward a future, permanent, high-paying career position in IT security".

it's not a bug, hole, or any of that sort.

[gl4ss]

it's a feature.

turn off location tags if you don't want them.

they didn't want him to intern because the way he was presenting the stuff, I think. or because he cannot tell a software flaw from a feature.

Re:it's not a bug, hole, or any of that sort.

[cbhacking]

If it wasn't a bug, they wouldn't have changed the way that the app handles location data (and they did change it).
If they didn't want people tracking the location data of Facebook users, they shouldn't have exposed the users' locations by default.
If they didn't want people to release a tool for automatically mapping that data, they should have paid attention the first few times the issue come up in the media.

Facebook doesn't deserve this guy. There are much better companies he could be working for.

Re:FTFY

[cbhacking]

I think it's quite unreasonable to conclude that Facebook *does* care about privacy. Their entire platform, not to mention revenue model, is based on anti-privacy.

Or, to clarify this, Facebook cares about privacy only to the extent that Facebook's product (users) care about privacy. This extension made the users care, decreasing the value of the product Facebook could sell to advertisers. That is why the guy got the axe; it isn't that he made public anything that wasn't already public, it's that he made people care about the fact that it was public. Can't have that; people might try to make it private instead!

Mod parent up

[cbhacking]

Already commented so I can't mod this myself, but: yes, this. Exactly this.

I'd like to emphasize here that among "you people" one must, prominently, include Timothy. None of the linked articles call this a "security flaw", and calling it that anyhow is just intellectually dishonest bullshit.

Re:FTFY

[phantomfive]

lol point conceded. TBH I think Facebook could call this the marauder's map and get people to happily use it as a feature

Facebook is like an old order company

[MoarSauce123]

If Facebook was really as forward thinking and revolutionary in any kind they would have kept that young fella and offered him a permanent position on the security team. Punishing people for such actions is just old style HR policy. Sure, he should have gone about it differently maybe, as in not making it a publicly available tool, but the core of the issue is that he found a significant vulnerability on his own. It is just too typical that folks get punished for a job well done, either by firing them, giving them more work, or promoting them to a management position where they waste their talent on annual reviews, budget planning, and singing kumbayah at management retreats.

Re:FTFY

[ultranova]

yeah, so i stopped reading there

That explains a lot about you, really. Maybe you'd be happier if you found a nice online echo chamber somewhere rather than pretend to take part in actual discussions?

it's either public or it isn't

Everything is. The only question is how much effort is needed to squeeze the information out of available data. For example, if you're having a discussion in your house, it can be listened from afar with a laser microphone due to sound causing windowpanes to vibrate. Does this mean the conversation was in fact public and no invasion of privacy took place?

But then again, it's easier to stop reading as soon as you're contradicted than bother with facts or logic. Oh well.