Security Community Raises $12k For Researcher Snubbed By Facebook 95
Trailrunner7 writes "Like most major Web and software companies, Facebook receives a lot of bug reports. And since the company started its bug bounty program, security researchers have become even more interested in looking for vulnerabilities in the Facebook ecosystem. But, as one researcher learned recently, not all bugs are created equal, and Facebook doesn't like people messing with its users – or its executives. That researcher, Khalil Shreateh, discovered a bug in the Facebook platform that enabled him – or any other user – to post comments on the walls of other users who aren't their friends. That shouldn't be possible under normal circumstances, so Shreateh reported the problem to Facebook through its bug bounty program, hoping to earn a reward from the company. Instead, the company told him he didn't provide enough information. So Shreateh went a step further and demonstrated the technique by posting a message to the wall of Facebook founder Mark Zuckerberg. On Aug. 19, after details of the incident became public, Marc Maiffret, a well-known security researcher and CTO of BeyondTrust, started a crowdfunding campaign to get Shreateh a reward for his work. As of Aug. 23, that campaign has raised more than $12,000 and Maiffret is in the process of transferring the funds to the researcher."
Zuck, pay up (Score:5, Insightful)
nothing more to say
Comment removed (Score:4, Insightful)
$12,000 goes a long way in palestine (Score:0, Insightful)
Dude is going to have running water and good food for the first time in weeks.
PR failure (Score:5, Insightful)
Nice effort, but sets a bad precedent (Score:5, Insightful)
The problem is, by third parties paying him, it sets a precedent for rewarding Facebook's bad behavior. Make no mistake - the same idiots that refused the payout and who whitewashed it by claiming a ToS violation will be the same ones watching this effort and wondering how much more they can get away with.
Ultimately, this is bad business practice for Facebook because this strategy will devolve into grey hats and black hats going for the jugular every time, and less white hats trying to do the right thing. Or maybe this just means people will realize on their own what I keep telling them - avoid using Facebook wherever possible. That will, unfortunately, be found out the hard way during the next big publicized data breach.
Re:Deserved? (Score:5, Insightful)
I'd be interested in seeing his report, to see if he really did provide enough info or not on the bug.
See the previous story from a few days ago here. The bug report was complete crap, and barely distinguishable from spam. It was ALSO a legitimate bug that he was reporting AND he inappropriately spammed a third-party's wall with it.
That said Facebook WRONGLY deactivated his account when he posted on Zuck's wall AND they quickly reinstated it when they found out what was actually going on.
Assuming they fixed the bug, he ALSO deserves the bug bounty reward.
There's no good-guy, bad-guy Hollywood story here - it was a bunch of bad communication all around that resulted in a narrative that sold page views. I know, that doesn't make for an emotional after-school special.
Re:Researcher? (Score:5, Insightful)
In the real world, a "researcher" is someone who works to rigorous academic standards writing and publishing original scholarship.
In the "IT security" world, a "researcher" is someone who finds that complex code isn't perfect and thinks himself important for making such a find.
his report: "there is a bug :broken link:" (Score:5, Insightful)
He posted his "bug report". It was a few words, just saying "there is a bug" with no hint of what bug or what the exploit could possibly be. It then had a broken link to an uninteresting post, a post that was private.
To my mind, it doesn't even qualify for the complaint department, much less was it anything close to being a proper report of a security issue.
Further, in response to Facebook comments pointing out that his message was very hard to read due to the pre-school level grammar, spelling, and use of capitals, he said "don caar nver fic red undrlin words" (or something to that effect), so he KNOWS his messages are nearly unreadable and he "don caar". If I get a message where the spelling is completely wrong, the grammar is completely wrong, and the use of capitals is completely wrong, I'd probably suspect that the claim is completely wrong as well.
Re:Probably pointless (Score:5, Insightful)
He didn't steal the money, nor did he use the bug to get it. It will be a gift from an unconnected 3rd party. Not too sure how this will be a criminal act. Even if they could do it, the only way they could block it is via lawsuit. Unless Facecook has also become a an arm of law enforcement.
On a more cogent point; you'd think the hip geeks at facebook would have heard of the Streisand Effect, demonstrated over and over again in these cases.
My girlfriend keeps asking me why I don't apply at facebook,
Glad I don't use Facebook (Score:4, Insightful)
Chosen People (Score:2, Insightful)
Re:his report: "there is a bug :broken link:" (Score:4, Insightful)
The point of a bug report is to provide information to allow a flaw to be fixed, not to simply brag about having found a problem.
This isn't a useful bug report "This page demonstrates that I was able to bypass your security and tamper with one of your pages."
This is a useful bug report "I was able to bypass your security by sending the following malformed request to your server..."
Bug bounties are generally only offered for the latter.