August 19, 2013
A Palestinian IT researcher went straight to the top, hacking Facebook CEO Mark Zuckerberg’s personal page to expose a vulnerability in the social network’s system after being ignored by the site’s security team.
Khalil Shreateh, in a blog post, said the bug he discovered allows anyone to post on any Facebook user’s wall whether they are friends or not.
Upon discovery of the flaw, Shreateh sent a message to Facebook’s White Hat security feedback program, which offers a minimum bounty of $500 for genuine vulnerabilities. The message demonstrated how he was able to place a post on the Facebook page of Zuckerberg’s friend Sarah Goodwin.
A Facebook security engineer, however, responded in a briefly worded e-mail: “sorry this is not a bug.”
The response convinced Shreateh he needed to appeal to the site CEO before action would be taken on the security issue. To prove the bug was indeed real, he placed a note on Zuckerberg’s wall.
“(A) couple of days ago I discovered a serious Facebook exploit that allows users to post to other Facebook users timeline while they are not in friend list,” Shreateh said in his post on Zuckerberg’s timeline. “I appreciate your time reading this and getting some one from your company team to contact me.”
Shreateh was quickly contacted by a Facebook security engineer requesting details of the exploit after which his Facebook account was disabled.
When Shreateh e-mailed to complain about his account being shut down, he received the following e-mail message:
Facebook disabled your account as a precaution. When we discovered your activity we did not fully know what was happening. Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it. We cannot respond to reports, which do not contain enough detail to allow us to reproduce an issue. When you submit reports in the future, we ask you to please include enough detail to repeat your actions. We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site. We have now re-enabled your Facebook account.
Security Engineer, Facebook
A Facebook security team member, in a post Saturday on the Hacker News website, said the bug found by Shreateh was fixed last Thursday. The poster also admitted the security team messed up by not asking for additional information after Shreateh’s initial report to the Whitehat team.
The post follows:
So, I work on a security team at Facebook and sometimes help with reviewing Whitehat reports. To be clear, we fixed this bug on Thursday. The OP is correct that we should have asked for additional repro instructions after his initial report. Unfortunately, all he submitted was a link to the post he’d already made (on a real account whose consent he did not have – violating our ToS and responsible disclosure policy), saying that “the bug allow facebook users to share links to other facebook users”. Had he included the video initially, we would have caught this much more quickly.
For background, as a few other commenters have pointed out, we get hundreds of reports every day. Many of our best reports come from people whose English isn’t great – though this can be challenging, it’s something we work with just fine and we have paid out over $1 million to hundreds of reporters. However, many of the reports we get are nonsense or misguided, and even those (if you enter a password then view-source, you can access the password! When you submit a password, it’s sent in the clear over HTTPS!) provide some modicum of reproduction instructions. We should have pushed back asking for more details here.
However, the more important issue here is with how the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behavior for a white hat. We allow researchers to create test accounts here: https://www.facebook.com/whitehat/accounts/ to help facilitate responsible research and testing. In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent.
As you can see at https://www.facebook.com/whitehat, in order to qualify for a payout you must “make a good faith effort to avoid privacy violations” and “use a test account instead of a real account when investigating bugs. When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing. Do not interact with other accounts without the consent of their owners.” Unfortunately, the OP did neither of those things. We welcome and will pay out for future reports from him (and anyone else!) if they’re found and demonstrated within these guidelines.