Forgot your password?
typodupeerror
Facebook Security

Security Researcher Makes His Point By Hacking Into Zuckerberg's Facebook Page 266

Posted by samzenpus
from the do-you-see-it-now? dept.
Eugriped3z writes "Whitehat Palestinian hacker Kahlil Shreateh submitted a bug report to Facebook's Whitehat bug reporting page not once, but twice. After it was ignored the first time and denied outright on the second occasion (which included links to an example as proof), he hacked Mark Zuckerberg's personal timeline, leaving both an explanation and an apology. From the article: 'In less than a minute, Shreateh's Facebook account was suspended and he was contacted by a Facebook security engineer requesting all the details of the exploit. 'Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it,' the engineer wrote in an email. 'We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue.' Facebook has a policy that it will pay a minimum $500 bounty for any security flaws that a hacker finds. However, the company has refused to pay Shreateh for discovering the vulnerability because his actions violated Facebook's Terms of Service.'"
This discussion has been archived. No new comments can be posted.

Security Researcher Makes His Point By Hacking Into Zuckerberg's Facebook Page

Comments Filter:
  • Take it public (Score:5, Insightful)

    by scubamage (727538) on Monday August 19, 2013 @09:17AM (#44607069)
    Screw them, the onus is on them to take action when someone reports a bug. If you don't have enough information when there is a security problem, maybe, JUST MAYBE, you should follow up with the submitter. If I was the submitter I'd just publish the exploit and be done with it.
    • Re:Take it public (Score:5, Insightful)

      by gl4ss (559668) on Monday August 19, 2013 @09:22AM (#44607111) Homepage Journal

      They don't follow up on anything, I checked.

      It might be because they're so swamped or maybe it's that if they feel like it's not their bug then they don't do anything. Either way not very responsive.

      • Re:Take it public (Score:5, Insightful)

        by Anonymous Coward on Monday August 19, 2013 @09:37AM (#44607305)

        I'm a QA analyst, and the quote: "We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue." is totally incorrect. An issue does not have to be reproducable in order to warrant some debugging and investigation.

        • Re:Take it public (Score:5, Insightful)

          by Rob the Bold (788862) on Monday August 19, 2013 @10:32AM (#44607875)

          I'm a QA analyst, and the quote: "We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue." is totally incorrect. An issue does not have to be reproducable in order to warrant some debugging and investigation.

          Maybe they just don't have the technology to request additional info from the reporter. Maybe that's not part of the protocol there. If it were my job to handle bug reports and I didn't want to be hassled with work, I'd require a complete bug description, including exact description of systems used and all steps to reproduce reported in exactly the format I'm expecting. I'd also make sure my instructions and description of the report format were just a little vague, so the user would be forced to fill in the blanks, further reducing the odds that the report would be "valid". Maybe I'd require some info that most bug reporters would think irrelevant or inapplicable to most bugs -- you know, just to tempt them to skip that part. Then I could pretty much close every ticket with "can't reproduce" and screw around on facebook all day -- for quality assurance purposes, of course.

          • by Minwee (522556)

            Maybe they just don't have the technology to request additional info from the reporter.

            That makes sense. After all, why would you expect a company like Facebook to have any way of communicating with their own users?

        • by Gibgezr (2025238)

          Yes, but maybe they did that, and still couldn't reproduce it
          All he did was say "I can post to anyone's timeline", which is so vague as to be useless information. It gives them no hint as to what is broken, as the Timelines are probably integrated into huge swathes of the FB codebase. It truly was a needle in a haystack, and thus totally unverifiable. He needed to send the repro info.

      • Re:Take it public (Score:5, Insightful)

        by freezin fat guy (713417) on Monday August 19, 2013 @11:20AM (#44608281)

        They don't follow up on anything, I checked.

        Nobody enjoys following up on things in which they have absolutely no interest.

        Facebook have proven exceedingly reliable at not caring about their user's security or privacy.

        Having living proof of a hack is especially annoying because it actually forces them to respond and improve user security. Fankly, I'm surprised they are pressing charges.

        • Oops, should read "I'm surprised they AREN'T pressing charges"

          Few things must infuriate Zuckerburg and cohorts more than addressing the security or privacy of their users.

    • Re:Take it public (Score:5, Insightful)

      by SQLGuru (980662) on Monday August 19, 2013 @09:37AM (#44607303) Journal

      I read the guy's own post about it. He reported what he could do and not the steps required to exploit it. The Facebook team couldn't reproduce it as a bug (since there were no repro steps) and closed it as "not a bug".

      So really, the problem was one of communication. The guy has the problem a lot of my clients/users have in that they don't give enough detail to investigate the bug and Facebook didn't really follow what he was trying to say (since he just sent them links saying "look what I did"). I'm not saying he didn't legitimately find an exploit and probably deserves some bounty ($500 is nothing to a company like Facebook), but Facebook should probably have some guidelines for how to submit bugs.

      Aside - what any bug report needs:
      * What action were you taking?
      * What result did you observe?
      * What result did you expect?
      * Are there specific data values that always exhibit the symptom?
      * Are there specific data values that do not exhibit the symptom?
      * Reproduction steps (be as detailed as possible)
      * Any other useful details about the bug (error messages, screen shots, etc.)

      • Re:Take it public (Score:5, Insightful)

        by Skapare (16644) on Monday August 19, 2013 @09:44AM (#44607373) Homepage

        If YOU could read the guy's post, then that would be the WRONG place for him to put the details about how to reproduce it. Facebook engineers should have contacted HIM, directly, by a secure means, to get those details. If Facebook engineers expect exploits to be posted in a public forum, then it is THEY who are doing this wrong.

        • by DavidD_CA (750156)

          I believe the person is referring to the hacker's own personal blog/story, not the post that the hacker made to Facebook -- which I presume is private.

      • Re:Take it public (Score:4, Insightful)

        by Opportunist (166417) on Monday August 19, 2013 @10:13AM (#44607659)

        'scuse me, but 500 bucks is peanuts for a 0day full-access security hole in FB. Tack a few 0s to that and we'll start talking.

        • Re:Take it public (Score:5, Informative)

          by jovius (974690) on Monday August 19, 2013 @11:03AM (#44608125)

          Incidentally I was just reading about the issue... Market research numbers [forbes.com] from last year.

          $5000 - $30,000 Adobe Reader
          $20,000 - $50,000 Mac OSX
          $30,000 - $60,000 Android
          $40,000 - $100,000 Flash or Java Browser Plug-Ins
          $50,000 - $100,000 Microsoft Word
          $60,000 - $120,000 Windows
          $60,000 - $150,000 Firefox or Safari
          $80,000 - $200,000 Chrome or IE
          $100,000 - $250,000 iOS

      • by X0563511 (793323)

        Not to say you're wrong, but would it really have been so hard for them to reply asking for details? Simply closing it without even a response is not appropriate, even if it is a useless report.

        As someone else said, if it was publicly viewable it was not an appropriate place to put the details. Perhaps he should have offered them (I have reproducibility details, please contact me) but really, the onus for that was on them and not him.

  • Won't pay? (Score:5, Insightful)

    by schneidafunk (795759) on Monday August 19, 2013 @09:19AM (#44607087)
    Seems to me that Mark is just pissed at being embarrassed, there really is no justification for not paying him. He submitted the bug to their security team first before exploiting it in a harmless way.
    • Re:Won't pay? (Score:5, Insightful)

      by Nerdfest (867930) on Monday August 19, 2013 @09:22AM (#44607113)

      Perhaps they should pay him extra and thank him ... he could have done much, much, worse, and from a dummy account. He quite obviously wanted to help. Being a dick to people trying to help you is not a great way to encourage others.

      • Re:Won't pay? (Score:4, Insightful)

        by schneidafunk (795759) on Monday August 19, 2013 @09:24AM (#44607145)
        Exactly. You raise a good point, he used his personal account, which ended up getting suspended.
      • Re:Won't pay? (Score:5, Insightful)

        by afidel (530433) on Monday August 19, 2013 @09:24AM (#44607153)

        Ding! Next time maybe he sells it on the black market instead of trying repeatedly to inform a company that obviously doesn't give a crap about security.

        • Ding! Next time maybe he sells it on the black market instead of trying repeatedly to inform a company that obviously doesn't give a crap about security.

          Exactly - fuck me once, shame on you, fuck me twice...

      • Re:Won't pay? (Score:5, Insightful)

        by IronOxen (2502562) on Monday August 19, 2013 @09:33AM (#44607255)
        Actually, he also exposed a bug in the bug reporting system that prevents it from responding to and or acknowledging the exact type of vulnerabilities it was designed to find. It was obviously repeatable since the vulnerability was reported twice and was ignored both times. He should be paid for that one as well.
      • Well, you should not overlook that there may be other factors involved in these parties...

        The bug reporter
        1)Did he describe how to reproduce the bug step-by-step?
        2)Did he describe the set up to reproduce the bug in detail?
        3)How understandable was his email to native English speakers?

        The FB team
        1)How many similar bug reports do they get each day?
        2)What the procedure do they use in bug investigation?
        3)How much concern they have to each bug report?

        1st email:
        the bug allow facebook users to share links to other facebook users , i tested it on sarah.goodin wall and i got success post
        http:

        2nd email:
        of course you may cant see the link because sarah's timeline friends posts shares only with her friends , you need to be a friend of her to see that post or you can use your own authority .
        this is a picture shows that post :

        Now, your reply assumes that the bug reporter cl

        • by t0y (700664)
          He linked to the post in goodin's wall that shouldn't exist. If a server is on fire you don't need steps to reproduce to prove that something's wrong.
    • by poetmatt (793785)

      this is facebook. they're not in the business of security or privacy. what do you expect?

      • *gasp*

        That they are interested in protecting their assets! Imagine someone could come and siphon away all the info without paying them!

    • by asmkm22 (1902712)

      Apparently, he should have just sold it on the black market since Facebook is trying to weasel out of paying over a technicality, no pun intended.

  • ...people are still using Facebook?
  • That's a catch 22 (Score:5, Insightful)

    by i kan reed (749298) on Monday August 19, 2013 @09:23AM (#44607119) Homepage Journal

    Post what you know to their white-hate system: not reproducible with that information. No money.
    Reproduce it yourself: violating TOS. No money.

  • After Facebook's stock plummet, Mark is pretty hard up for cash; maybe Kahlil Shreateh could cut junior some slack? Lets "face it", super hero underware for staff members is not cheap?
    • Have you looked at Facebook's stock recently? It's getting close to the IPO price.
      • by rwyoder (759998)

        Have you looked at Facebook's stock recently? It's getting close to the IPO price.

        It actually closed a little *over* the IPO price on several days last week.

    • Underware? Is that some sort of page 0 TSR, or BIOS xploit, or something?
  • Not worth it (Score:5, Interesting)

    by phantomfive (622387) on Monday August 19, 2013 @09:31AM (#44607229) Journal

    Facebook has a policy that it will pay a minimum $500 bounty for any security flaws that a hacker finds.

    That's absolutely not worth the money. He's better off taking the publicity he got from this and turning it into a high-paying job.

  • by fuzzytv (2108482) on Monday August 19, 2013 @09:44AM (#44607371)

    Good work, Facebook! Kinda resembles what happened at GitHub ~18 months ago: http://www.zdnet.com/blog/security/how-github-handled-getting-hacked/10473 [zdnet.com]

    If someone from Facebook reads this, and it's TL;DR; here are the next steps:

    #1 apologize to the guy, acknowledge he reported the issue twice
    #2 reinstate the account and pay him his reward
    #3 fix the damn issue

  • 500 USD? (Score:2, Insightful)

    by ebonum (830686)

    What a joke. Face book should fire the guy costing 150,000 USD a year ( take home pay and all in cost to FB are not the same ) who wrote the offending code.

    500 USD for a bug is an insult. How much do their QC people make a month? They failed, and they are getting a lot more than 500 USD.

  • Cheapskates (Score:4, Funny)

    by Anonymous Coward on Monday August 19, 2013 @09:53AM (#44607479)

    Refusing to pay because it violates terms of service? Wait wait, I'm now convinced all my online details are safe. Afterall the terms of service protects me from dishonest hackers, right?

  • You were warned repeatedly and ignored it. FU.
  • by slashkitty (21637) on Monday August 19, 2013 @10:32AM (#44607867) Homepage
    They pay $7,500 for an XSS bug, more for more serious bugs. Facebook better think about their program before a more serious bug is made public or exploited privately.
  • Don't tell them how it was done. No threats, no extortion, just don't tell them. Let them figure it out on their own dime.
  • What they meant to say was "That report is received by an intern who doesn't give a damn because we don't take security seriously."
  • by FuzzNugget (2840687) on Monday August 19, 2013 @11:49AM (#44608615)
    I can buy that the submitted report "did not have enough technical information" to take action, but your response is ... uh, eh fuck it?

    How about you follow up by contacting the submitter for more information.
  • by LoRdTAW (99712) on Monday August 19, 2013 @12:08PM (#44608815)

    Hacker: I found a major exploit in your system. Here are the details.
    Facebook engineers: (to themselves) Shit, he may be right but we can't reproduce it and we don't want to get into trouble. Just sweep it under the rug.
    Hacker: I filed a major bug report and you didn't respond, here are more details in case you needed more help.
    Facebook engineers: (to themselves) Oh fuck. That is going to be a lot of work to fix. File this one under the rug again. I hope I get a better offer from Google or Apple before the shit hits the fan.
    Hacker: (hacks Zuckerberg's account) That will get their attention.
    Zuckerberg to FB engineers: WHAT THE FUCK! How did this happen! I want answers now or heads start rolling!
    FB engineers: Shit Shit Shit Shit Shit... contact that guy and see what he did ASAP! Oh god oh god oh god..........
    Facebook/Zuckerberg: This is a major embarrassment but I still don't want to give that little bastard any credit for exposing our laziness. Reward denied.

  • BS.. (Score:3, Insightful)

    by SuperDre (982372) on Monday August 19, 2013 @01:06PM (#44609501) Homepage

    Have you people actually seen the email-conversation between him and facebook?
    Well if you have, you know HE is just a moron for making it public as he didn't send facebook a step-by-step on how to recreate the bug, all he did was say 'he I can post a message on someonelses wall without being a friend'.. and after facebook asked some details all he did was post a link to a post he made.. the man is a moron, if he's a "security researcher" then he should at least know how to do a proper bug-report.. Facebook get's so many fake bug-reports (with photoshopped images) from people who hope they can get a bounty..

  • by Sentrion (964745) on Monday August 19, 2013 @01:12PM (#44609549)

    IANAL, but this case sounds like it might be a good candidate for an unjust enrichment lawsuit. If Zuckerborg refuses to pay the $500 bounty on the grounds that FB terms of use were violated, then shouldn't they pay the hacker "fair market value" for identifying the bug? After all, FB openly solicited bug reports from the general public with a promise of compensation. And did FB not implement new safeguards after they found out the exploit was legitimate, as evidenced by Zuckerberg's hacked page?

    If my neighbor hires a painter, and the painter paints my house instead of my neighbor's house, and I stand by and watch the painter work on my house without informing the painter he is working on the wrong house, then I am obligated to pay the painter the amount he would have charged my neighbor for the work performed. Absent any written agreement, the amount due would be based on the fair market value of the labor performed plus a generally accepted markup for the cost of materials.

    So now I'm curious, what would be the fair market value for finding an exploit that would allow a hacker to alter Mr. Zuckerberg's own FB page? Given that the IRS can tax certain unsaleable items based on "illicit market" value, could the "street value" of Mr. Shreateh's findings be considered for valuation given that there is no "fair" market value, since such a value implies that there exists a market, meaning more than one possible customer legally able and willing to make an offer for such findings?

    Read more: http://lancasteronline.com/article/local/607346_IRS-values-stolen-or-illegal-items-at-black-market-rate.html#ixzz2cRIxNEoC [lancasteronline.com]

  • by hesaigo999ca (786966) on Monday August 19, 2013 @01:22PM (#44609637) Homepage Journal

    Mark considers himself a haxor, so do many others that use his app. Some are smarter then others, this one proved he was, and went so far as to show the creator of facebook he was, instead of 500$ , I would have asked for a job, and some cigars, love those cigars, and maybe a bottle of tequila.... but never money!
    Its the principle of it all

  • CNR (Score:3, Funny)

    by The Grim Reefer (1162755) on Monday August 19, 2013 @01:41PM (#44609861)
    This XKCD [xkcd.com] seems appropriate. The first time I saw it I almost fell out of my chair laughing. At my previous company I practically had to write a doctoral thesis to get simple obvious bugs fixed.
  • Perhaps Shreateh can get asylum in Russia.

  • by shentino (1139071) on Monday August 19, 2013 @02:23PM (#44610361)

    He reported the bug BEFORE he violated the facebook TOS.

    So Facebook is just using the TOS violation as an excuse for *retroactive* denial of the bounty *he had already earned*.

I'm all for computer dating, but I wouldn't want one to marry my sister.

Working...