Madgamer13 said:
Whoah, this thread is full of Facebook hate.
If someone reported an exploit inside a system of mine without any details to reproduce the exploit, then proceeded to use the exploit to abuse the system, in order to get their very valid point across, I'd be quite angry.
But then, this is Facebook we are talking about! Facebook, one of the most successful social networking websites ever! Surely they should be thankful that a person with person with technical knowhow found a way to compromise their system! Bah! Facebook deserves to be hacked anyway! Now recognise this saviour's superior position and give him money you have promised with your 'white hat' system!
How naïve, just because Facebook is big and successful does not make it ok to support those who would compromise it's service. Of course, I'd be very curious if anyone here who supports this hacker would still choose to do so if they log into their Facebook account to find their private wall spammed with enlargement pill adverts, posted by the very same damn way this exploit has been explained.
But then, you'll just blame Facebook at that point, won't you? No wonder sites such as these require terms of use.
If that's what happened, dismissing the response as "Facebook hate" might be plausible, if still broad and dismissive, but it's not what happened.
At all.
From the linked article, bold (for emphasis) mine:
Khalil explains on his blog that he submitted a full description of the bug, plus follow-up proof of its existence to the Facebook security feedback page, where researchers can win rewards of at least $500 for finding significant vulnerabilities. Then he submitted again. The second time he got an e-mail back that said, "I am sorry this is not a bug."
Having tried, repeatedly, to go through official channels, he then turned towards more attention-getting methods of getting through the bureaucracy that was ignoring a very real and significantly dangerous risk. The means he chose to do so, as near as I can understand, were arguably some of the
least invasive and threatening at his disposal. By way of comparison: it is not at all unusual for hackers, having been rebuffed for their attempts to warn through official channels, to simply post their findings to the public with the hope that increasing the likelihood of exploitation will
force those responsible for security to deal with the problem.
It's regrettably common for those responsible for network security to take an "ignore it and it will go away" approach to security breaches, especially if there is likely to be significant expense and/or work involved in fixing the problem. For a company that holds as many people's private information as Facebook, that attitude ought to be inexcusable- but that's no guarantee, especially from the hacker's point of view, that such an attitude wasn't what was keeping Kahlil's warning from getting through.
From the same article:
Facebook admits, though, that its team should have been more diligent in following up on Khalil's submission.
What
exactly should he have done? Continued to send e-mails to an office that showed no interest in following through?
If your house is on fire, the person who throws a brick through your window when you don't respond to a knock isn't a vandal. He's your best damn friend.
I personally will never have an account there so maybe this guy should go ahead and find some critical exploits.
