Hacker Demonstrates Facebook Exploit On Mark Zuckerberg's Wall

[Andy Chalk]

Hacker Demonstrates Facebook Exploit On Mark Zuckerberg's Wall

A Palestinian "white hat" hacker decided to make his point by posting on Mark Zuckerberg's wall after Facebook ignored his warnings about a vulnerability in the system.

Khalil Shreateh, a technical sort of fellow from Yatta, Hebron, recently discovered a vulnerability in Facebook that allowed him to post to anyone's wall, even if it was set to private. He reported the issue through Facebook's "Whitehat [https://www.facebook.com/whitehat]" system, which offers a minimum reward of $500 for such discoveries, along with a link to a message he'd written on the wall of Sarah Goodin, a woman who attended the same college as Facebook founder Mark Zuckerberg.

Unfortunately, Facebook security told him that the link he provided resulted in an error, so he resubmitted, explaining why the error occurred and also stating that he might post a message on Zuckerberg's wall to get his point across. After his second submission, Facebook said simply that what he was reporting was not a bug, so he did as he'd warned and posted a message detailing the exploit, along with his report to Facebook security (and its dismissive reponse), on Zuckerberg's wall.

Very shortly after the message went up, Shreateh was contacted by a Facebook engineer seeking more information about the exploit; soon after that, his account was disabled. When he filed yet another report asking why, he was told it had been shut down "as a precaution."

"When we discovered your activity we did not fully know what was happening. Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it," a security engineer said in a message. "We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue. When you submit reports in the future, we ask you to please include enough detail to repeat your actions."

His account has since been re-enabled but sadly, despite clearly finding a bug, Shreateh won't be getting any reward. "We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service," Facebook told him. "We do hope, however, that you continue to work with us to find vulnerabilities in the site."

Source: Gizmodo [http://khalil-sh.blogspot.ru/p/facebook_16.html]


Permalink

 

[nodlimax]

Great way to make a point. He didn't actually hurt anyone, but proved that he can break the security of Facecrook.

And what are the idiots doing? Acting like little children.........Jackasses.....

 

[Nurb]

I'm glad I never started on facebook

 

[Bazaalmon]

Wait, what? Someone finds a major issue with your site, you blow them off, then they exploit it to show you exactly how big a problem it is, and you disable their account for doing it. Does Facebook even care about the privacy of its users? Or was this just a way of avoiding paying somebody for doing your work for you? It probably won't affect the average Facebook user, but it's still a stupid move.

 

[Hagi]

"We screwed up, but we're a big company so we're just going to pretend it was your fault!"

I think this is most likely a case where said security engineer did himself not possess sufficient knowledge to understand the technical details provided. After all, if it was a simple error it would be easy to solve for a security expert with sufficient knowledge of the systems in place or if it was a complex error then the guy in question would need to be very knowledgeable to exploit it.

Considering there apparently hasn't been any widespread use on a site with as many users as Facebook, a portion of which are sure to be both looking for these things and highly intelligent, I think it's safe to say that Mr. Sheateh was not the one at fault but was instead dealing with incompetent 'security' engineers.

 

[Lightknight]

Cheapskates. They're consistently doing this crap to the people they hire to find the bugs. What asses.

 

[Zhukov]

Clearly his only course of action now is to follow it up with false posts detailing how Zuckerberg has just finished making sweet love to his neighbour's dog.

Since, y'know, this exploit clearly doesn't exist.

 

[Bat Vader]

They need to pay him. It's their own fault he had to violate their Terms of Service because they wouldn't listen to him both times when he reported it. In fact the people that told him it wasn't a bug should be fired because they clearly were not doing their jobs.

 

[Jadak]

I'm amused at the people acting like Facebook is being dickish by not paying him, when in reality their point about 'violating the Terms of Service' is a perfectly legitimate one.

Now, all things considers the fair thing to do would be find some way to pay the guy something, but it certainly shouldn't be publicized. Facebook is not small, nor private. Their terms of service are not intended as a suggestion nor a joke, and publically rewarding someone in violation of those terms is a big no no, something they like have entire PR and legal departments dedicated to pointing out.

I mean, come on, do you think a company like Facebook gives a shit about $500 to one guy in the context of anything that could theoretically cause any problem at all for it's hundreds of millions of users? I doubt it.

Now, if they got enough bad press over this I wouldn't be surprised to see some sort of compensation tossed out to save face, but at the moment they've decided that rewarding someone who publically breaks your rules looks worse, and that's prefectly reasonable.

 

[Hairless Mammoth]

Sounds like Farcebook is becoming the modern Thomas Edison if not already exceeding his level of jackassery, and this poor bloke is their current Nicola Tesla. They better watch who they cross. Some guys might use their death rays(read: use an exploit that causes lots of damage and lost revenue).

 

[CriticalMiss]

the bad PR alone will cost them more than what they should of paid the guy, hell if hes that good they should have him on payroll

But if he is on their payroll they will actually have to pay him for fixing their mistakes. This way they get it done for free.

 

[ThunderCavalier]

Glad to see that companies are still rewarding benevolent but skilled people pointing out bugs in the system instead of sharing them and causing crap to hit the fan. It's this kind of maturity and integrity that ensures that companies are completely exempt from any kind of criticism, and that they are allowed to do as they please.

 

[V8 Ninja]

Glad to see that companies are still rewarding benevolent but skilled people pointing out bugs in the system instead of sharing them and causing crap to hit the fan. It's this kind of maturity and integrity that ensures that companies are completely exempt from any kind of criticism, and that they are allowed to do as they please.

Nice turn-around on that last sentence.

Anyways: Just pay the damn guy, Facebook. You are one of (if not THE) most popular websites on all of the internet. You can afford a measly $500.

 

[Jadak]

Actually, you're approaching this at a rather pathetically narrow-minded view of the situation. You are focusing on the one individual in the context of just this one event, as if they were somehow going to be compartmentalized and thus not affect anything outside of it.


When in actuality, this type of event has consequences. Other people might see this, and decide that they won't bother reporting any bugs through the "White Hat" system because, as shown, Facebook can more than easily just handwave it off and tell them "Oh not a glitch, sorry you get nothing".

Which, in turn, will lead to those who do exploit and poke around at Facebook's code to not report to them, and instead use it for personal gain, if not monetary than at least enjoyment. If Facebook refuses to acknowledge the glitch (which they did in the first place, if you missed it), then why bother reporting it to them when it can be used for yours, or others, gain.


And I'm sure that some people who are interested in phishing account information from Facebook users, as well as potentially credit card information, the ability to post on others walls even if they are set to private could be handy in that regard.

Which is why this whole "Find glitch, +$500" system was started to begin with.

You're right, if you ignore all the details, anyways.

You're arguing that, essentially, this sets a trend that discourage this reward system and you're ignoring the details of this event or at least the point of my post to do so. My entire point was that they're not simply refusing to reward someone, they're refusing to reward a violation of their terms of service.

This does nothing to discourage 'glitch finders', this discourages them from actually taking what they find and abusing the system to make their point. There's nothing wrong with that and it in know way supports the idea that if you find a glitch, Facebook won't pay you.

The one and only problem on that front is with whoever recived the bug reports and decided to dismiss what was reported (although as was mentioned in the article, the Facebook engineer could be correct in that not enough explanation was provided to be useful), and problems like that could indeed caused issues for the perception of this reward system, but that's a different issue. What matters here is the simple decision to not pay someone who publically violated your service.

Maybe a good choice, maybe not, but not one that does anything to discourage those using the system as intended. Only problem there is with cases such as this, where real issues slip through the cracks

 

[The Hungry Samurai]

Paying a guy off for finding your websites exploit? $500
"Ignoring" them and benefiting from their vigilance? $0
Waiting till they make you look like an idiot while discrediting your own free bug finding workforce by continuing to refuse to pay them? Priceless.

 

[Charli]

Boy I love the reality where being honest and good with your arguably gray-aligned abilities nets you a pat on the head and 0 money.

Where if he'd given this info to a few more skeezy parties, he'd probably have made bank.

Thanks facebook, thanks for reaffirming that companies like you are STILL digging your own graves through terrible moral compasses and hiding behind made up rules.