Hacker Demonstrates Facebook Exploit On Mark Zuckerberg's Wall

[wulf3n]

We can now expect no hacker reporting found issues, and will instead sell exploit to highest bidder.

Nice work Facebook

 

[Alistair_Darkheart]

Facebook said simply that what he was reporting was not a bug

You know, I'm just curious how they determined he was in breach of the terms of service, when they themselves had told him that such was not a bug. And when something isn't a bug it's generally a feature (and some bugs count as feature's when they produce awesome results).

To me this is them just being jerks after they screwed up, considering he did the right thing reporting it, trying to re-explain the situation and warning them of how he was going to provide an example for them prior to them dismissing it as not being a bug.

Al.

 

[Jadak]

Sorry. The terms of service do not say that they can refuse to pay you anything owed through other programs or services they provide. The terms say that they can shut down your account.

So in reality, the *proper* course of action is to pay him the $500, ban his account, fire the dumb fuck who said it wasn't a glitch at all, and then see if Mr. Shreateh is interested in the now vacant position.

Have you read the terms of service? I certainly haven't, and while you could be right, with the extensive terms of service agreements companies tend to have these days I wouldn't at all be surprised if there was in fact something applicable to the situation.

As for the firing, hardly enough details to make that determination. First and possibly most important is the sheer quantity of reports Facebook may or may not get. Maybe it's few, maybe it's a shitload, I don't know but would expect the latter along with the fact that no small number of them are spam or otherwise not worth anyones time. If that is the case, then it's unfortunate but frankly, shit happens, legit things can look like spam, things get missed and there's no guarantee anyone else would do any better. Not saying the guy shouldn't be fired, but far too few details here to claim incompetence on his part.

 

[Ace Morologist]

Facebook told him. "We do hope, however, that you continue to work with us to find vulnerabilities in the site."

I'm sure he will be more than happy to do just that.

I mean, wouldn't anyone?

--Morology!

 

[chiefohara]

Bad form on facebooks part really. $500 dollars is nothing to them, and its not like the guy didn't warn them that that was what he was going to do.

Im kinda surprised they aren't seriously looking at hiring the guy really.

 

[Jadak]

I haven't read the terms of service. But I know they don't say that because that's the law. No agreement can state that failure to adhere to one particular agreement cancels the company's obligations in any other separate agreements. That's simply contract law.

And the whitehat policy, found here: https://www.facebook.com/whitehat , is clearly a separate agreement as it makes absolutely no reference to its Terms of Service or to requiring that the whitehat hold an account. In fact, it explictly encourages the whitehat to *avoid* using real accounts for the activity -- a judge would see that as an explicit denial of a link to this activity and their account system, ergo, their terms of service.

That clears that up then, although interestingly enough, on the very page you linked there is a section that contains this text (right near the top):

Responsible Disclosure Policy
If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.

I'd say the "good faith effort to avoid privacy violations" goes out the window instantly, considering violating privacy is what he intentionally did to prove his point (albeit, still in good faith I guess).

Granted, it doesn't explicitly say 'will not pay you' on top of that, but come on.. It's right there on the main page telling people to make an effort to avoid this kind of stuff to prove their points.

 

[Patrick Hayes]

I'm amused at the people acting like Facebook is being dickish by not paying him, when in reality their point about 'violating the Terms of Service' is a perfectly legitimate one.

Now, all things considers the fair thing to do would be find some way to pay the guy something, but it certainly shouldn't be publicized. Facebook is not small, nor private. Their terms of service are not intended as a suggestion nor a joke, and publically rewarding someone in violation of those terms is a big no no, something they like have entire PR and legal departments dedicated to pointing out.

I mean, come on, do you think a company like Facebook gives a shit about $500 to one guy in the context of anything that could theoretically cause any problem at all for it's hundreds of millions of users? I doubt it.

Now, if they got enough bad press over this I wouldn't be surprised to see some sort of compensation tossed out to save face, but at the moment they've decided that rewarding someone who publically breaks your rules looks worse, and that's prefectly reasonable.

So you think blackhats won't violate terms of service when they get into systems? Because that's exactly what they do. TOS aren't a deterrent for malicious intent.

 

[Jadak]

So you think blackhats won't violate terms of service when they get into systems? Because that's exactly what they do. TOS aren't a deterrent for malicious intent.

Why would I think that? No, I'm saying don't pay them for doing it. Sure, this guy isn't a 'blackhat', and it's too bad his report was ignored / met with dismissal, but he could have kept at it, a better formulated report to argue the matter would have been an appropriate step but he chose to 'make a point', and you don't typically pay people for fucking with you.

 

[Kargathia]

You're right, if you ignore all the details, anyways.

You're arguing that, essentially, this sets a trend that discourage this reward system and you're ignoring the details of this event or at least the point of my post to do so. My entire point was that they're not simply refusing to reward someone, they're refusing to reward a violation of their terms of service.

This does nothing to discourage 'glitch finders', this discourages them from actually taking what they find and abusing the system to make their point. There's nothing wrong with that and it in know way supports the idea that if you find a glitch, Facebook won't pay you.

The one and only problem on that front is with whoever recived the bug reports and decided to dismiss what was reported (although as was mentioned in the article, the Facebook engineer could be correct in that not enough explanation was provided to be useful), and problems like that could indeed caused issues for the perception of this reward system, but that's a different issue. What matters here is the simple decision to not pay someone who publically violated your service.

Maybe a good choice, maybe not, but not one that does anything to discourage those using the system as intended. Only problem there is with cases such as this, where real issues slip through the cracks

They're fully within their rights refusing him payment, but the moment he went public by pasting it across Zuckerberg's page it went potentially viral.
At that point concerns about not rewarding people for violating your ToS are vastly superceded by the PR implications of how your reaction comes across to millions of onlookers - especially as Facebook is such a consumer-oriented company.

Personally I'd probably pay him for pointing out the glitch, and then ban him. You avoid looking like an ass in the latest viral storm in a teacup, while retaining the validity of your ToS.

 

[Jadak]

They're fully within their rights refusing him payment, but the moment he went public by pasting it across Zuckerberg's page it went potentially viral.
At that point concerns about not rewarding people for violating your ToS are vastly superceded by the PR implications of how your reaction comes across to millions of onlookers - especially as Facebook is such a consumer-oriented company.

Personally I'd probably pay him for pointing out the glitch, and then ban him. You avoid looking like an ass in the latest viral storm in a teacup, while retaining the validity of your ToS.

Doesn't quite cover the situation. Virtually any bad PR is more costly than $500 to a large public company, but that's ignoring a possible reason behind why they would bother to refuse payment based on ToS in the first place.

On the one hand, they get bad PR if they do what they're doing now. On the other hand, if they do pay the guy, they set a bad precedent and undermine the guidelines set forth for their whitehat program. If they do that, they're basically saying that strictly following the proper procedure is not required, that it is okay to publically embarass Facebook to prove your point, and still get paid for your trouble. That is a very bad message to send. Whether it's worse than the bad PR for not doing so is not a decision I would envy making.

 

[Jesse Billingsley]

Hey, didn't Zuckerberg do something similar to this too in college?

 

[1337mokro]

THANKS FOR THE FISH BRO!!! LULZ!!!

Is the message I think he received. I hope facebook is ready for the shitstorm of crap that is coming their way if this guy finds a vital exploit.

 

[Callate]

His account has since been re-enabled but sadly, despite clearly finding a bug, Shreateh won't be getting any reward. "We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service," Facebook told him. "We do hope, however, that you continue to work with us to find vulnerabilities in the site."
Read more at http://www.escapistmagazine.com/news/view/126996-Hacker-Demonstrates-Facebook-Exploit-On-Mark-Zuckerbergs-Wall#ZHbuxlLbLiyy8vab.99

Oh, for fuck's sake.

Grow a spine, admit that the fault was yours, and reward the man for doing your job for you, you petty sons of weasels!

 

[cricket chirps]

Aaaaaand why do people still use/trust facebook?

 

[Madgamer13]

Whoah, this thread is full of Facebook hate.

If someone reported an exploit inside a system of mine without any details to reproduce the exploit, then proceeded to use the exploit to abuse the system, in order to get their very valid point across, I'd be quite angry.

But then, this is Facebook we are talking about! Facebook, one of the most successful social networking websites ever! Surely they should be thankful that a person with person with technical knowhow found a way to compromise their system! Bah! Facebook deserves to be hacked anyway! Now recognise this saviour's superior position and give him money you have promised with your 'white hat' system!

How naïve, just because Facebook is big and successful does not make it ok to support those who would compromise it's service. Of course, I'd be very curious if anyone here who supports this hacker would still choose to do so if they log into their Facebook account to find their private wall spammed with enlargement pill adverts, posted by the very same damn way this exploit has been explained.

But then, you'll just blame Facebook at that point, won't you? No wonder sites such as these require terms of use.

 

[Dr. Cakey]

Whoah, this thread is full of Facebook hate.

If someone reported an exploit inside a system of mine without any details to reproduce the exploit, then proceeded to use the exploit to abuse the system, in order to get their very valid point across, I'd be quite angry.

But then, this is Facebook we are talking about! Facebook, one of the most successful social networking websites ever! Surely they should be thankful that a person with person with technical knowhow found a way to compromise their system! Bah! Facebook deserves to be hacked anyway! Now recognise this saviour's superior position and give him money you have promised with your 'white hat' system!

How naïve, just because Facebook is big and successful does not make it ok to support those who would compromise it's service. Of course, I'd be very curious if anyone here who supports this hacker would still choose to do so if they log into their Facebook account to find their private wall spammed with enlargement pill adverts, posted by the very same damn way this exploit has been explained.

But then, you'll just blame Facebook at that point, won't you? No wonder sites such as these require terms of use.

The only one here attempting to compromise Facebook's service is Facebook.

 

[Brian Tams]

Its nice to see Facebook is still doing dodgy shit like finding excuses not to pay what they owe.

 

[l3o2828]

I am halfway hoping he finds a new exploit and completly wrecks the site.