In a hacker's daily life it is usual for him to get hold of important data files or discover new issues. A good home for hackers is Facebook - the most common social network. If someone finds a bug, he/she has the chance to submit it through the company's white hat disclosure program and get a reward.
A security researcher managed to find a security issue on Facebook and stood firm to take action. Khalil Shreateh from Yatta-Hebron, Palestine had reported a bug to the Facebook bounty hunting service but was denied acknowledgement and cash payment because it was not a "bug".
That's the problem. Someone finds a bugs. Reports it. But in turn gets ignored.
This is when the Palestinian hacker took advantage of the same bug he was trying to report and chose to directly relate the bug to Facebook founder Mark Zuckerberg's Timeline.
He first reported the vulnerability via email to the bug bounty program. The social network, however, failed to recognize the vulnerability in his report.
 |
| Original post from Khalil's blog. |
Before reporting the bug, Shreateh successfully tested it by posting on Sarah Goodin's Timeline, Mark Zuckerberg's former college classmate. Khalil included a link to this post in the email, but the Facebook security employee who received the email - identified as Emrakul - couldn't see the post, since he wasn't friends with Goodin.
That's what Shreateh tried to explain to Emrakul in a second email. He warned he could post on Mark Zuckerberg's Timeline but wouldn't "cause I do respect people privacy." His second email was ignored.
Khalil, once again reported the bug explaining it in detail to which the reply was
Finally loosing patience Khalil decided to report the bug directly to Mark Zuckerberg's Timeline.
This post got the attention of another Facebook engineer - Ola Okelola who commented on the post, asking for more information on the bug. After a brief discussion, Shreateh's Facebook account got suspended "as a precaution," as another Facebook security engineer named Joshua explained to Shreateh by email.
By posting on Zuckerberg's wall, Shreateh also violated Facebook's responsible disclosure policy which prohibits people who discover bugs to take advantage of them and demonstrate the bugs on people's accounts without their permission.Shreateh won't be rewarded for his finding, because he violated the disclosure policy. Take a look at the video which shows how he took advantage of the bug.
"The more important issue here is with how the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behavior for a white hat. We allow researchers to create test accounts here to help facilitate responsible research and testing. In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent, " explained Matt Jones of Facebook. Facebook declined to comment further. Besides, the bug was fixed, according to Jones.
Note: This post has been updated with the help of Khalil Shreateh's blog post and Mashable's report.
13 comments:
Is tarah tu hota hai is tarah k kamoon mein.
well i believe that those who don't have facebook are at better end?
And companies don't give a damn about anything except money.
Well its all the ill effects of modernisation and media promotes this expansion of social innovations huh. Anyways you always come up with such ingenious ideas. Haha i should applaud. Its simply amazing.(Y)
No wonder there are so many errors in the Facebook world.
that's a good compilation Liz!
Mark Zuckerberg's such a punk
is the bug really fixed or they trying to get away with it?
lol at the guys english -l.a
I think they have a point. He should have included more information for them to go on before he wrote on Zuckerberg's wall. In any case, I think facebook will take things seriously now :-)
whoa..!!
Maybe backing up this information with more data might've helped.
Khalil's mails somehow seem more like a spam than a report of a 'finding'.
He did provide links and mailed thrice. facebook simply chose to ignore the bug
"Hi Khalil,
I am sorry this is not a bug."
That is refusual and ignorance rather than a sign of atleast trying to acknowledging the problem.
good to realise
Post a Comment