Hacker Demonstrates Facebook Exploit On Mark Zuckerberg's Wall

[Callate]

Whoah, this thread is full of Facebook hate.

If someone reported an exploit inside a system of mine without any details to reproduce the exploit, then proceeded to use the exploit to abuse the system, in order to get their very valid point across, I'd be quite angry.

But then, this is Facebook we are talking about! Facebook, one of the most successful social networking websites ever! Surely they should be thankful that a person with person with technical knowhow found a way to compromise their system! Bah! Facebook deserves to be hacked anyway! Now recognise this saviour's superior position and give him money you have promised with your 'white hat' system!

How naïve, just because Facebook is big and successful does not make it ok to support those who would compromise it's service. Of course, I'd be very curious if anyone here who supports this hacker would still choose to do so if they log into their Facebook account to find their private wall spammed with enlargement pill adverts, posted by the very same damn way this exploit has been explained.

But then, you'll just blame Facebook at that point, won't you? No wonder sites such as these require terms of use.

If that's what happened, dismissing the response as "Facebook hate" might be plausible, if still broad and dismissive, but it's not what happened.

At all.

From the linked article, bold (for emphasis) mine:

Khalil explains on his blog that he submitted a full description of the bug, plus follow-up proof of its existence to the Facebook security feedback page, where researchers can win rewards of at least $500 for finding significant vulnerabilities. Then he submitted again. The second time he got an e-mail back that said, "I am sorry this is not a bug."

Having tried, repeatedly, to go through official channels, he then turned towards more attention-getting methods of getting through the bureaucracy that was ignoring a very real and significantly dangerous risk. The means he chose to do so, as near as I can understand, were arguably some of the least invasive and threatening at his disposal. By way of comparison: it is not at all unusual for hackers, having been rebuffed for their attempts to warn through official channels, to simply post their findings to the public with the hope that increasing the likelihood of exploitation will force those responsible for security to deal with the problem.

It's regrettably common for those responsible for network security to take an "ignore it and it will go away" approach to security breaches, especially if there is likely to be significant expense and/or work involved in fixing the problem. For a company that holds as many people's private information as Facebook, that attitude ought to be inexcusable- but that's no guarantee, especially from the hacker's point of view, that such an attitude wasn't what was keeping Kahlil's warning from getting through.

From the same article:

Facebook admits, though, that its team should have been more diligent in following up on Khalil's submission.

What exactly should he have done? Continued to send e-mails to an office that showed no interest in following through?

If your house is on fire, the person who throws a brick through your window when you don't respond to a knock isn't a vandal. He's your best damn friend.

 

[chozo_hybrid]

What did the bug do? That's what I'm curious of.

That said, they could afford to thank him for it, it's not like he didn't try contacting them properly first.

 

[Grabehn]

So they offer a reward, the guy shows them there's a vulnerability and they don't care, then he exploits the thing to have enough proof and they won't pay because he used the exploit...

I've never been one to like Facebook, but why offer a reward you're not willing to pay? And denying recognition to the one that discovered it? I seriously think they wanted him to use the exploit so they could fix it afterwards without paying a dime.

 

[coldfrog]

The real problem here is that it's impossible to tell for sure which side is in the right because we lack the vital information, IE, exactly what his bug report contained. And you know what, we'll probably never see it.

There's plenty of reasons to dislike Facebook, and I don't feel as if this is one of them. If they've paid out before, there's no reason to think they won't pay out again, and until a pattern of similar behavior emerges, I'm willing to write this off as a one-off and move on. If the complete details of their dialogue are revealed, maybe then we can make a more informed decision, but right now we can only speculate and piss each other off uselessly. And I have a feeling we won't be seeing those transcripts any time soon.

 

[Jamous]

Wow. Fuck's sake. That's some shitty stuff right there. They could have at least bloody acknowledged him properly.

 

[ciasteczkowyp]

corporations I personally will never have an account there so maybe this guy should go ahead and find some critical exploits.

 

[GAunderrated]

Thank you Facebook for showing us why when anyone finds an exploit, they normally abuse the shit out of it. Because if they actually came forward and helped you with a problem you didn't know about, you would still screw over that person. I hope the next person that finds an exploit just takes the site down for good.

 

[Blunderboy]

So let me get this straight, rather than reward the man for finding an exploit, they have ignored and punished a man capable of breaking their system?

 

[Costia]

I can understand Facebook not paying the 500$ since they don't wan't to encourage people to abuse exploits, even if it is to prove a point.
But on the other hand, he reported it, and they ignored it. So I suppose the best solution would have been not to pay him the 500$ for finding an exploit, but pay him 500 or more for some other reason/excuse like helping the engineers to solve it or even "hire" him for a month as a moderator or whatever.

 

[TheNarrator]

I'm amused at the people acting like Facebook is being dickish by not paying him, when in reality their point about 'violating the Terms of Service' is a perfectly legitimate one.

Legally justified isn't the same thing as morally justified, unfortunately. FB promised to provide a reward for people finding security glitches. The guy found a hole in their security and reported it exactly the way they asked him to, then they denied him the reward, refusing to acknowledge that it's a bug. Then he violates their ToS in order to get public attention to his mistreatment (essentially being scammed), they then acknowledge that he actually was right in the first place, but then still refuse his payment because now he has violated their ToS. Completely ignoring the fact that they broke their promise first, and that he should have received his payment before he had to resort to breaking the ToS. That is dickish, even if it's legal (which I doubt).

 

[Legion]

Assuming we take everything Facebook said as fact, I do not see the issue.

He posted a report, which was good of him. His report did not have enough details for them to reproduce the issue he claimed to have found (which is necessary to fix it), so they ignored it. Rather than providing more details as to how he accomplished it he decided to break the rules and use the exploit to show them, rather than choose to explain it.

They probably get thousands of these kinds of things a day. If somebody claims to have found a bug but doesn't properly explain what it is, then what should Facebook do? They have countless other people doing the same thing and have limited resources, so naturally they are going to focus on those who put the time in to give sufficient details.

If we take what he said as fact, then he was still in the wrong for doing it, because he was not entitled to break the rules just to prove there was an exploit, but Facebook should accept that they have been done a favour and be grateful for it. It's much better to have a guy break the rules harmlessly to show an exploit than to have it go unchecked after all.

 

[Strazdas]

in other words:

facebook bragged like a jersey shore guido around and when they got some teeth punched out they say it was an accident and totally not some other Bro/dudette.

here is a demo hack from the guy

Wait, he just firebug the IDs? and thats it? really there is no privacy check when sending such message? wow i wouldnt even think FB would have such a hole. almost makes me want to tregister just to see what other stupidty facebook left open.

 

[Madgamer13]

"If your house is on fire, the person who throws a brick through your window when you don't respond to a knock isn't a vandal. He's your best damn friend."

Out of all of those who have responded to my comment, yours is by far the best. You've explained the importance of the security of Facebook, which holds lots and lots of sensitive information, as well as the grace of this hacker exposing something that needs to be fixed as soon as possible.

But fixing that hole in the system is the job of Facebook's programmers, not the hacker. Exposing the exploit by abusing it and posting the details only makes what was previously unknown now available to more malicious individuals, before Facebook's programmers get the chance to address it.

If it is Facebook's judgement to ignore calls about a very real exploit, then that is their call. It is not right of them, I know, but forcing their hand by exploiting their system against them only places the exploit into the hands of others. Now I would ask; Now that the exploit has been exposed, what do you think will happen if they cannot patch it in time for someone with malicious intent to utilize it? Remember that they are now on a time limit before someone, somewhere does, all thanks to this hacker.

If I was in the Hacker's position, I would continually report the exploit to Facebook's support team until they damn well fixed it. I definitely wouldn't showcase it or explain how you could do it within the public arena.

People here are getting one thing wrong though, I am not defending Facebook just because they are 'big and successful' I'm defending the importance of the integrity of their system and proper, due process. I lash against this hacker's actions because he went outside of the system to place undue importance in something that needed to stay in-dev and private to Facebook, not outside where any old idiot can use it to spam adverts on your private wall.

I've specifically quoted this particular part of your reply above, because I think that you are looking at these circumstances in the wrong way. If you would permit me to use your own words, I would say that Facebook is not a house, it isn't on fire and the guy who just smashed in the window did so because he could and showed everyone around him how to do it.

 

[Zer0Saber]

Oh just pay the fucking guy.......Dicks.

 

[Kargathia]

They're fully within their rights refusing him payment, but the moment he went public by pasting it across Zuckerberg's page it went potentially viral.
At that point concerns about not rewarding people for violating your ToS are vastly superceded by the PR implications of how your reaction comes across to millions of onlookers - especially as Facebook is such a consumer-oriented company.

Personally I'd probably pay him for pointing out the glitch, and then ban him. You avoid looking like an ass in the latest viral storm in a teacup, while retaining the validity of your ToS.

Doesn't quite cover the situation. Virtually any bad PR is more costly than $500 to a large public company, but that's ignoring a possible reason behind why they would bother to refuse payment based on ToS in the first place.

On the one hand, they get bad PR if they do what they're doing now. On the other hand, if they do pay the guy, they set a bad precedent and undermine the guidelines set forth for their whitehat program. If they do that, they're basically saying that strictly following the proper procedure is not required, that it is okay to publically embarass Facebook to prove your point, and still get paid for your trouble. That is a very bad message to send. Whether it's worse than the bad PR for not doing so is not a decision I would envy making.

It's definitely a bit of a tight bind, but I'm somewhat sceptical about just how much of an influence condoning the violation of the ToS to point out flaws will have on hackers, white-hat or otherwise. The threat of a ban - and often even legal action - is laughable when compared to the e-peen points awarded for slamming mud on Facebook's face in such a public fashion.

The credibility of the white-hat program is much more important than whether or not a message is being sent that violating the ToS is ok when making a point about exploits. Hackers publicly demonstrating their exploit is far from the worst case scenario here; that spot is reserved by potential white-hat hackers instead selling the exploit to criminals.

They always could've adjusted the white-hat program's terms to specifically mention that publicly demonstrating your exploit forfeits all rights of payment, but only after they paid Shreateh.

Right now they've probably handled this in the worst possible way, as they've set themselves up for a viral shitstorm of bad PR. Severity only dependent on the incredible fickle attention span of the internet.
Just paying the guy tenfold the original reward, and getting him to sign a NDA in return would have been a preferable course of action here.

 

[Alorxico]

If you ever wanted proof that Facebook was run by complete ****s, then here it is!

 

[Vegosiux]

Okay.

There was a guy over here who discovered a vulnerability in the electronic transactions system of one of our banks. That was....whoa, more than a decade ago. October 2002, in fact.

He designed a trojan and protection against said trojan, sent them to the bank, basically saying "I found your system is vulnerable to this script. And this is how you can prevent such abuses. I'm willing to sell this to you."

He did not end up a very rich man, thanked by the bank for helping them keep their system secure.

He ended up allegedly sending a bullet into his own brain (in a country where guns are extremely hard to get) after the bank had him charged with cyber-crime charges; oddly enough a month before he killed himself he made a press statement that he'd sue the bank the moment his innocence was established.

Been swept under the carpet since then, but...well, you know. Some things never change, and saving face seems to still be more important than owning up to your deficiencies and dealing with them.

There might be a trope for that. [http://tvtropes.org/pmwiki/pmwiki.php/Main/HaveYouToldAnyoneElse]