Mark Zuckerberg Facebook Hacked By An Security Analyst
A Facebook user identifying himself as Khalil Shreateh recently found a bug in facebook through which he could post information on other user’s Walls, even if they weren’t friends. He alerted Facebook,but Facebook responded that Khalil’s discovery wasn’t a bug, therefore he was not eligible to receive $500 as part of Facebook’s own bug-bounty program.
When Facebook’s security team ignored him, knowing he was right, Khalil brought the issue up in an innovative way: He posted a message on Zuckerberg’s own Wall to demonstrate the vulnerability, getting Facebook’s attention in a way that which not only cost him the $500 bounty, but his Facebook account as well.
Though he was able to prove to Facebook that his bug was legit (despite an initial response that it wasn’t a bug at all), Facebook wasn’t too happy with the way he did it: by using the bug to post on Zuckerberg’s otherwise friends-only wall.
Here is what Facebook says:
“Security research can be a pretty tough balancing act. If you don’t follow a company’s responsible reporting terms , you might be robbing yourself of your fair share of recognition and, if the company is one of many that gives bug bounties, a chunk of cash. Alas, exploiting your way onto Zuck’s timeline doesn’t exactly comply with Facebook’s reporting rules.”
Here is how things went before Mark Zuckerberg Facebook got Hacked:
In his initial report of the bug, Khalil demonstrated that he was able to post on anyone’s wall by submitting a link to a post he’d made on the wall of Sarah Goodin (a college friend of Zuck’s, and the first woman on Facebook.)Unfortunately, the member of the Facebook Security team who clicked the link wasn’t friends with Goodin, whose wall was set to be visible to friends only. As a result, they couldn’t see Khalil’s post. (While Facebook Security can almost certainly over-ride privacy settings to see anything posted on the site, they didn’t seem to do that here)
“I don’t see anything when I click the link except an error”, responded Facebook’s Security team.”
Khalil submitted the bug with the same link again, explaining that anyone investigating the link would need to either be Goodin’s friend or would need to “use their own authority” to view the private post.
“I am sorry this is not a bug”
Replied the same member of the Security team, seemingly failing to grasp what was going on.
Khalil responded by taking his demonstration to the next level,if posting on one of Mark Zuckerberg’s friend’s walls didn’t get his point across, perhaps posting on Zuck’s own wall would?
Thus On Thursday afternoon, Khalil posted a note into Zuckerberg’s timeline.
Here is what he posted on Mark Zuckerberg Facebook Hacked Wall:
“Sorry for breaking your privacy to post to your wall, i had no other choice to make after all the reports I sent to Facebook team”
Within minutes, Facebook engineers were reaching out to Khalil. He’d made his point.
What is Bug Bounty Program:
The Facebook’s bug bounty program is whitehat exploit disclosure program, through security researchers are paid at least $500 for each critical bug they report responsibly. $500 is just the minimum,the size of the bounty increases with the severity of the bug, with no set maximum.
Did the Mark Zuckerberg facebook wall hacker recieved any bounty for the bug:
There was no bug bounty for Khalil because of terms and conditions of Facebook’s bug disclosure policy which requires researchers to use test accounts for their investigations and reports, rather than the accounts of other Facebook users. By posting to Goodin and Zuck’s walls, he’d broken those rules pretty much right out of the gate. His reports also didn’t include enough detail of how to reproduce the bug, says Facebook:
“Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it. We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue. When you submit reports in the future, we ask you to please include enough detail to repeat your actions.We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site.”
Here is what’s going on thereafter:
Since Khalil’s initial post went up on Friday, there’s been a healthy debate as to whether or not Facebook should be paying him a bounty. On one hand, he broke their disclosure rules (perhaps unknowingly — as many have pointed out, Facebook’s disclosure terms are only available in English, which doesn’t seem to be Khalil’s first language); on the other, he was seemingly trying to report it responsibly rather than selling it to spammers.
Even Facebook’s own engineers have entered the discussion.Facebook Security Engineer Matt Jones laid things says:
“We get hundreds of reports every day. Many of our best reports come from people whose English isn’t great – though this can be challenging, it’s something we work with just fine and we have paid out over $1 million to hundreds of reporters. However, many of the reports we get are nonsense or misguided, and even those if you enter a password then view-source, you can access the password! When you submit a password, it’s sent in the clear over HTTPS! We should have pushed back asking for more details here.”
However,he continues that, the more important issue here is with how the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behavior for a white hat. We allow researchers to create test accounts here, to help facilitate responsible research and testing. In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent.
What you say?Do you think Facebook responded appropriately to Kahlil’s bug discovery?Share your thoughts in the comments.
Er. Shivam Kumar
Latest posts by Er. Shivam Kumar (see all)
- Galaxy S5:10 likely features of the upcoming Samsung phone - February 24, 2014
- Samsung Galaxy Note 3 Neo SM-N7500 now available for pre-booking - February 23, 2014
- Yoast seo:Why you should turn off author sitemaps & date archives in this plugin - February 10, 2014