Forgot your password?
typodupeerror
Security Facebook The Almighty Buck

Security Community Raises $12k For Researcher Snubbed By Facebook 95

Posted by Soulskill
from the pay-the-man dept.
Trailrunner7 writes "Like most major Web and software companies, Facebook receives a lot of bug reports. And since the company started its bug bounty program, security researchers have become even more interested in looking for vulnerabilities in the Facebook ecosystem. But, as one researcher learned recently, not all bugs are created equal, and Facebook doesn't like people messing with its users – or its executives. That researcher, Khalil Shreateh, discovered a bug in the Facebook platform that enabled him – or any other user – to post comments on the walls of other users who aren't their friends. That shouldn't be possible under normal circumstances, so Shreateh reported the problem to Facebook through its bug bounty program, hoping to earn a reward from the company. Instead, the company told him he didn't provide enough information. So Shreateh went a step further and demonstrated the technique by posting a message to the wall of Facebook founder Mark Zuckerberg. On Aug. 19, after details of the incident became public, Marc Maiffret, a well-known security researcher and CTO of BeyondTrust, started a crowdfunding campaign to get Shreateh a reward for his work. As of Aug. 23, that campaign has raised more than $12,000 and Maiffret is in the process of transferring the funds to the researcher."
This discussion has been archived. No new comments can be posted.

Security Community Raises $12k For Researcher Snubbed By Facebook

Comments Filter:
  • Zuck, pay up (Score:5, Insightful)

    by Anonymous Coward on Friday August 23, 2013 @11:51AM (#44655807)

    nothing more to say

  • Probably pointless (Score:4, Insightful)

    by MikeRT (947531) on Friday August 23, 2013 @11:53AM (#44655827) Homepage

    And when it reaches a certain level, Facebook may swoop in with their lawyers and claim that it can block him receiving them back it's money earned from a technically criminal act.

    • Criminal act? Really? It violates Facebook's ToS, but that's it.
      • by vivaoporto (1064484) on Friday August 23, 2013 @12:02PM (#44655939)
        Violating JSTOR's terms of service landed Aaron Swartz in a world of trouble, seems like it's enough to get you a dozen of felony indictments nowadays
        • by Anonymous Coward on Friday August 23, 2013 @12:36PM (#44656443)

          Technically he was arrested for breaking and entering, as he had to gain physical access to networking equipment to download JSTOR's documents in bulk.

          He was later charged with wire fraud and computer fraud. He didn't just try to download stuff, he actively worked around being blocked when they detected him... over a period of several weeks. He would get blocked and then modify his MAC to get a new IP and start again. He bought a throw away computer and named it Gary Host (GHOST). They eventually blocked entire chunks of the MIT network to stop him... thus he resorted to directly accessing some networking equipment in a restricted area and was filmed doing so while trying to hide his face.

          What he did is wrong. Read the indictment. [mit.edu]

          Of course, the overreaction of charges and potential sentences were also wrong. But there is no doubt that he was doing illegal things and he KNEW they were illegal and actively took measures to avoid being identified or caught.

          • Of course, the overreaction of charges...

            They tarred and feathered him for essentially pulling a digital, although an illgal, prank. He was facing serious prison time becuase 1) it was a "hacker" type digital age crime, 2) it embarrassed MIT and the Fed, 3) The Man's reaction to ANY infringement of ANY penal violation is slowly but with increasing pace plain, bald-faced, incarceration; becuase it saves time and money in the short term with an overburdened court system and a legislative branch that measures its productivity in terms of number of b

          • by tqk (413719)

            But there is no doubt that he was doing illegal things and he KNEW they were illegal and actively took measures to avoid being identified or caught.

            I'll bet if you watched closely enough, that would describe everybody.

            Did you know it's now illegal to use a pellet gun in city limits? I did that all the time as a kid (no, not shooting windows! :-).

          • Of course, the overreaction of charges and potential sentences were also wrong. But there is no doubt that he was doing illegal things and he KNEW they were illegal and actively took measures to avoid being identified or caught.

            You know, way (way) back when I was in college, there was a really bright student who could circumvent the all local security measures. The CS department simply offered him a job - and he accepted (to the mutual benefit of the student and department).

        • This has been true since the late 80s, see the Computer Fraud and Abuse Act.

      • The CFAA has been used to prosecute, in this manner, for many years. The ToS defines authorized access and unauthorized access is illegal under the CFAA.

    • by interval1066 (668936) on Friday August 23, 2013 @12:46PM (#44656571) Homepage Journal

      He didn't steal the money, nor did he use the bug to get it. It will be a gift from an unconnected 3rd party. Not too sure how this will be a criminal act. Even if they could do it, the only way they could block it is via lawsuit. Unless Facecook has also become a an arm of law enforcement.

      On a more cogent point; you'd think the hip geeks at facebook would have heard of the Streisand Effect, demonstrated over and over again in these cases.

      My girlfriend keeps asking me why I don't apply at facebook,

      • by Nerdfest (867930)

        You should tell her that it's because you have a conscience.

      • He "exceeded his access privileges" or whatever the language used in the CFAA is. The CFAA is so loose that I would surprised if he didn't violate it somehow in doing this.

        And you know what, you morons who modded me flamebait, I don't think it should be considered a legal issue. However it probably is a violation of the CFAA and courts tend to look very favorably on taking away any funds that appear to be proceeds related to a crime. Heck, prisoners are often blocked from selling media rights to their stori

      • by wbr1 (2538558)
        He stole facebooks PRIDE. And, lest you forget, corporations have co-opted law enforcement for years now, see the RIAA/MPAA for examples.
      • by metrix007 (200091)

        It doesn't work like that. If what he did is a crime, then the money raised and then given to him is profit as a direct result of that crime. Which isn't allowed.

  • by Anonymous Coward

    I'd be interested in seeing his report, to see if he really did provide enough info or not on the bug. For $12K you ought to take the time to be pretty thorough in providing a reproducible bug report.

    • Re:Deserved? (Score:4, Interesting)

      by ShanghaiBill (739463) on Friday August 23, 2013 @12:11PM (#44656043)

      I'd be interested in seeing his report, to see if he really did provide enough info or not on the bug. For $12K you ought to take the time to be pretty thorough in providing a reproducible bug report.

      I would also like to see this. The reports on this are inconsistent. At first I heard that Facebook "ignored him". Now I am hearing that they "asked for additional information" (which he either did or didn't provide - nobody knows?).

      A better way for Facebook to handle this in the future, would be to set up some sandbox "hack me" accounts. Then someone with an exploit can demonstrate it, and ensure they will be taken seriously.

      • by rsborg (111459)

        A better way for Facebook to handle this in the future, would be to set up some sandbox "hack me" accounts. Then someone with an exploit can demonstrate it, and ensure they will be taken seriously.

        And any publicly available honeypot would need monitoring, espeically if it's running close-to-production codebase, as that will essentially give blackhats the perfect place to demo their exploits.

    • Re:Deserved? (Score:5, Insightful)

      by bill_mcgonigle (4333) * on Friday August 23, 2013 @12:15PM (#44656105) Homepage Journal

      I'd be interested in seeing his report, to see if he really did provide enough info or not on the bug.

      See the previous story from a few days ago here. The bug report was complete crap, and barely distinguishable from spam. It was ALSO a legitimate bug that he was reporting AND he inappropriately spammed a third-party's wall with it.

      That said Facebook WRONGLY deactivated his account when he posted on Zuck's wall AND they quickly reinstated it when they found out what was actually going on.

      Assuming they fixed the bug, he ALSO deserves the bug bounty reward.

      There's no good-guy, bad-guy Hollywood story here - it was a bunch of bad communication all around that resulted in a narrative that sold page views. I know, that doesn't make for an emotional after-school special.

      • by Damathon (912183)

        That said Facebook WRONGLY deactivated his account when he posted on Zuck's wall AND they quickly reinstated it when they found out what was actually going on.

        How is it that they wrongly deactivated his account? He exploited a bug and used it to post on someone else's wall, just like any spammer would have. It's clearly fair to deactivate while investigating further to block him from using the exploit on anyone else.

        • by tibman (623933)

          The only reason why the bug was exploited was to show the FB team what the bug was. Not only that but get said something like, "I posted in a place i shouldn't be able to and it is a bug that i am reporting". He was cooperating and bringing an issue to FB. Why assume he's a spammer at all?

    • by raymorris (2726007) on Friday August 23, 2013 @12:45PM (#44656555)

      He posted his "bug report". It was a few words, just saying "there is a bug" with no hint of what bug or what the exploit could possibly be. It then had a broken link to an uninteresting post, a post that was private.

      To my mind, it doesn't even qualify for the complaint department, much less was it anything close to being a proper report of a security issue.

      Further, in response to Facebook comments pointing out that his message was very hard to read due to the pre-school level grammar, spelling, and use of capitals, he said "don caar nver fic red undrlin words" (or something to that effect), so he KNOWS his messages are nearly unreadable and he "don caar". If I get a message where the spelling is completely wrong, the grammar is completely wrong, and the use of capitals is completely wrong, I'd probably suspect that the claim is completely wrong as well.

      • by tibit (1762298)

        The link was not broken, it demonstrated that the bug was indeed there. The Facebook imbeciles didn't follow through with proper administrative access: they had to view the private profile of a third party, you can't just do that without being logged in administrative impersonation mode. I mean, how stupid can one be?

        • by Rich0 (548339) on Friday August 23, 2013 @02:22PM (#44657715) Homepage

          The point of a bug report is to provide information to allow a flaw to be fixed, not to simply brag about having found a problem.

          This isn't a useful bug report "This page demonstrates that I was able to bypass your security and tamper with one of your pages."

          This is a useful bug report "I was able to bypass your security by sending the following malformed request to your server..."

          Bug bounties are generally only offered for the latter.

          • by tibit (1762298)

            Man, if they can't get the log for exactly what transpired when they see a messed up entry, they are fucked already.

            • by Rich0 (548339)

              Man, if they can't get the log for exactly what transpired when they see a messed up entry, they are fucked already.

              Maybe they can, but that doesn't mean that they have to pay him for it.

              They're paying for useful bug reports, not giving rewards to people who hack their website.

        • Yes, a system admin could use administrative powers to log in as the target user and would have seen a random youtube video posted on somebody's wall. Which demonstrates nothing without an explanation of what it's supposed to demonstrate.

          To the helldesk graduate reading his message, and to anyone else, it was a broken link - an error saying "no such page".

          The Facebook rep should have asked for further information - and that's exactly what they did.

  • Not trying to play devil's advocate here but any vulnerability researcher must understand that finding flaws is only half of the job. You must also be able to successfully explain and make understand each flaw to even non-technical people or your work is somewhat worthless.

    Now it's true that one can expect a reasonable technical skill from the Facebook person reviewing your bug submissions, but they also, as they stated [facebook.com], go through a lot of invalid and spurious submissions a day.

    So in case you are hoping fo

    • by sjwt (161428) on Friday August 23, 2013 @12:41PM (#44656511)

      Bull shit, if you have non-technical people running your bug bounty, then you have lost, they will be paying for things that aren't bugs and ignoring others.

      "If I do X, Y happens, repeatedly. Y should not ever happen"

      You shouldn't have to do more than that to report a bug for a bug bounty program.

      • by firex726 (1188453)

        Except he did not do that, he just said he found a way to post on other people's timelines.
        There is nothing about the steps he took, or why it might be happening.

        http://khalil-sh.blogspot.ru/p/facebook_16.html [blogspot.ru]

      • Bull shit, if you have non-technical people running your bug bounty....

        C'mon, read his bug report there was no "if this, then that" in his post, when you translate the teenage gibberish into low level techno-babble it basically says "pwned - pay up". I'm no fan of FB but this guy is on an ego trip and wanted to make headlines for himself at FB's expense, a developer I worked with in the 90's used to do a similar thing when printing out code for code reviews, he would hide an innocuous comment somewhere in 100K lines that said something like "This line has been inserted to test

  • PR failure (Score:5, Insightful)

    by DavidDK (48129) on Friday August 23, 2013 @12:09PM (#44656025)
    This must be seen as an absolute failure of Facebook's PR department. As soon as this story hit the tech media, they should have reverted the decision and paid him and excused. This is a serious hit to Facebook's standing as a good workplace. What would you feel as an employee in this situation?
    • The Zuckerburg has no balls, a real tech company would have tried harder to make this right. As an advertising company Facebook threw a nobody under the buss, phlegm at 11. Facebook should show their true colors and pay off researchers in facepoints or pop star screen savers.
  • Researcher? (Score:2, Offtopic)

    I am now not sure what the word "researcher" mean? The link for the campaign page mentioned about "independent researchers." However, the summary used the word "one researcher." If I correctly recall from his own blog (Khali), he said he is an "unemployed" which is far from a "researcher." Besides, he happened to stumble on the security issue. This does NOT mean a "research"! This web page is simply to get "attention" from people in the community and should NOT be posted on ./ at all. The campaign owner guy
    • Re:Researcher? (Score:5, Insightful)

      by Joining Yet Again (2992179) on Friday August 23, 2013 @12:29PM (#44656323)

      In the real world, a "researcher" is someone who works to rigorous academic standards writing and publishing original scholarship.

      In the "IT security" world, a "researcher" is someone who finds that complex code isn't perfect and thinks himself important for making such a find.

      • by vux984 (928602)

        in the "IT security" world, the average "researcher" is a "hacker", but we aren't allowed to use that word anymore without going to jail, so now everything is under "security researcher" regardless of how professional it is.

        Pretty much like how bloggers have decided to hide out under the 'journalist' umbrella after blogger came to mean 'person with narcissism, brain diarrhea, and the internet'. Now they are watering down the meaning of jouralism, but the word still has some shreds of credibility.

  • by StandardCell (589682) on Friday August 23, 2013 @12:12PM (#44656059)
    Obviously the large corporate machinery at Facebook has caught and chewed up some very nice researcher, and the community once again comes in to right the wrong.

    The problem is, by third parties paying him, it sets a precedent for rewarding Facebook's bad behavior. Make no mistake - the same idiots that refused the payout and who whitewashed it by claiming a ToS violation will be the same ones watching this effort and wondering how much more they can get away with.

    Ultimately, this is bad business practice for Facebook because this strategy will devolve into grey hats and black hats going for the jugular every time, and less white hats trying to do the right thing. Or maybe this just means people will realize on their own what I keep telling them - avoid using Facebook wherever possible. That will, unfortunately, be found out the hard way during the next big publicized data breach.
    • by Chrutil (732561)

      The problem is, by third parties paying him, it sets a precedent for rewarding Facebook's bad behavior.

      Nah. Now everybody knows that instead of getting $500 from Facebook telling them about their bugs, they can get $12k from the community by just hacking them directly.

    • by firex726 (1188453)

      Not really...
      If you actually read his report, there is nothing to it ,beyond what is in the title of this summary.

      http://khalil-sh.blogspot.ru/p/facebook_16.html [blogspot.ru]

      The reproduction steps are entirely gone, there is nothing there for a Dev to go in and investigate with.

      --------------

      repro:
      the vulnerability allow's facebook users to share posts to non friends facebook users , i made a post to sarah.goodin timeline and i got success post
      link - > https://www.facebook.com/10151857333098885 [facebook.com]
      of course you may cant

  • Looks like it would be better to just sell to umm someone rather than try report to facebook for $500.

  • How much of that is "Screw you, Facebook" dollars?

  • by GodfatherofSoul (174979) on Friday August 23, 2013 @12:29PM (#44656325)

    One one hand, as he says he could've made a ton of money selling this hack to a spammer and ended up harassing MILLIONS of users. On the other hand, hacking a CEOs account isn't the most diplomatic or responsible way to handle the situation and it sounds like his English is a little rough. If you're a locksmith, staging a break-in probably isn't the best way to get a bank's business.

    • If you're a locksmith, staging a break-in probably isn't the best way to get a bank's business.

      Except that this "bank" explicitly says it will reward people who can bypass the lock. I think it is more like " If you're a locksmith, staging a break-in into the director's office probably isn't the best way to get a bank's business."

    • by mwvdlee (775178)

      Why doesn't facebook set up an account which security researchers ARE allowed to hack.
      They could even monitor the account to get as much information as soon as possible when a hack is reported.

    • by tibit (1762298)

      He already hacked someone's account, they didn't care (the "not a bug" reply) - it apparently wasn't a person important enough. They acted like idiots. That's all. Does it take a fucking genius to understand that there is a language barrier and to do the due diligence?

    • by DRJlaw (946416)

      On the other hand, hacking a CEOs account isn't the most diplomatic or responsible way to handle the situation and it sounds like his English is a little rough.

      Ok, I'm getting tired of this "hacked Mark Z's account" characterization. It didn't happen.

      This guy posted to a Mark Z's wall. He shouldn't have been able to, but there's no indication that he gained permissions to the account, changed the account settings, or had access to information marked anything other than public in connection with the accoun

  • by ikhider (2837593) on Friday August 23, 2013 @12:50PM (#44656621)
    It is a sophisticated surveillance tool anyway. Also, sort of a part time job you don't get paid for.
    • by Anonymous Coward

      Also, sort of a part time job you don't get paid for.

      That's why I prefer slashdot. It's less of a part time job and more of a low-quality contracting thing I do on the side when I'm bored.

  • I hope they take part of that money and set it up as a reward for publically disclosing Facebook vulnerabilities online.
    That way those security researchers can still get some kind of a reward if Facebook doesn't take them seriously.
    And, more importantly, Facebook will be forced to take them more seriously in the future.

  • that 12K should cover at least some of the court costs and fees.

  • Chosen People (Score:2, Insightful)

    Had Mr. Shreateh not been Palestinian, I'm forced to wonder if Mr. Facebook's reaction would have been different.
    • Had Mr. Shreateh not been Palestinian, I'm forced to wonder if Mr. Facebook's reaction would have been different.

      The bug report that he sent them was totally useless and not worth a penny. I suppose "close friend of Zukerberg" would have helped getting paid, but "white male American" wouldn't.

The person who's taking you to lunch has no intention of paying.

Working...