Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Intern Gets Preemptive Ax For Exposing Security Flaw

Posted by timothy on from the because-they're-all-edgy-and-wear-hoodies dept.

Engadget reports that Harvard student Aran Khanna, who was about to begin an internship at Facebook, had that internship yanked after he created (and took down, but evidently too slowly for the company's taste) a browser plug-in that exposed a security flaw in Facebook, by allowing users to discover the location of other users when they use the Messenger app. Surely Khanna won't be jobless or internship-less for long. (Don't expect the app to work now; it's still in the Chrome store as a historical artifact, though, and at GitHub.)

4 of 103 comments (clear)

  1. What did you expect to happen? by OverlordQ · · Score: 5, Insightful

    So you're trying to get a job at a company and instead of reporting to them a security flaw, you create a Chrome extension to let anybody (ab)use it.

    If you're expecting to NOT get fired, you're an idiot.

    --
    Your hair look like poop, Bob! - Wanker.
    1. Re:What did you expect to happen? by marcansoft · · Score: 5, Insightful

      It *wasn't* a flaw. He didn't write an exploit, nor is this a security vulnerability. He just wrote a scraper for location metadata that was already there and was intended to be there. There is no vulnerability, just a demonstration of the extent of the data that is already normally, deliberately available. The only mention of "security" is in the Slashdot summary, which is garbage, as usual. The only thing the extension does is take location data that you can already see and plot it on a map.

  2. dear clueless megacorp and mediocre middle mgmnt: by circletimessquare · · Score: 5, Insightful

    here are your choices:

    1. employee or white hat or grey hat comes to you with an exploit. you reward him for the discovery, you squash the exploit. the media paints you in a good light. more white hats and employees are eager to come forward with exploits they find. your userbase is happy with the quick resolution, transparency, and eagerness to protect

    2. employee or white hate or grey hat comes to you with an exploit. you fire him, sue him, ignore him, censor him. maybe you don't squash the exploit, you think you can just hide it. of course, the media gets wind anyways and paints you as a moron who thinks you can sweep it under the rug or an idiot in denial for your "no comment" when asked about the exploit. white hats and employees are discouraged and hide exploits or, turn into grey hats and black hats and sell your exploit underground or use them for nefarious purposes themselves. you don't find about it until much later as no one wants to talk to you after the reception you've demonstrated. you are hacked, your userbase grows angry and shrinks, your third quarter profit takes a hit, the guys in the corner office call you in and ask you to account for the problems

    those are choices middle management morons. proceed accordingly

    oh, the guy wrote an app instead of coming to you immediately?

    gee, how horrible

    hide your blind shortsighted anger, paint on a fake smile, and give him a reward

    because that's what is in your best interests you fucking pinhead! you WANT these guys to come to you, so you NEVER show any negativity to anyone who has shown how YOU have failed by discovering the exploit. the original shame, the original failure is YOUR EXPLOIT

    it's not a parent-child situation and the kid crashed the family SUV. it's about you failing to provide airtight security with your product and you showing the world that you are welcoming to all friends and foes who would only come to you and tell you what you did wrong to allow the exploit. understand? you failed first, by allowing the exploit to exist

    oh, all complicated software has exploits? true. so you're really eager to plug those holes any way you can, right? you're really glad someone found one for you, right? prove it, by rewarding those who find the holes

    either the exploits go underground when you storm around like a prima donna when someone finds a hole, or you show how eager you are in due modesty that anyone come forward with an exploit for you to squash, with thanks and kudos

    now figure the fuck out what is best for you and your company's bottom line, and don't be such a mediocre empty suit

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  3. Re:dear clueless megacorp and mediocre middle mgmn by RatherBeAnonymous · · Score: 5, Interesting

    The curios part about this is that this privacy leakage flaw has been know since 2012 and was reported in the media. Facebook didn't care.

    Aran Khanna MADE Facebook care. I don't know if he was trolling Facebook or if he is just naive. Either way, I applaud his results.