Hacker Demonstrates Facebook Exploit On Mark Zuckerberg's Wall

[GAunderrated]

Thank you Facebook for showing us why when anyone finds an exploit, they normally abuse the shit out of it. Because if they actually came forward and helped you with a problem you didn't know about, you would still screw over that person. I hope the next person that finds an exploit just takes the site down for good.

 

[Blunderboy]

So let me get this straight, rather than reward the man for finding an exploit, they have ignored and punished a man capable of breaking their system?

 

[Costia]

I can understand Facebook not paying the 500$ since they don't wan't to encourage people to abuse exploits, even if it is to prove a point.
But on the other hand, he reported it, and they ignored it. So I suppose the best solution would have been not to pay him the 500$ for finding an exploit, but pay him 500 or more for some other reason/excuse like helping the engineers to solve it or even "hire" him for a month as a moderator or whatever.

 

[TheNarrator]

I'm amused at the people acting like Facebook is being dickish by not paying him, when in reality their point about 'violating the Terms of Service' is a perfectly legitimate one.

Legally justified isn't the same thing as morally justified, unfortunately. FB promised to provide a reward for people finding security glitches. The guy found a hole in their security and reported it exactly the way they asked him to, then they denied him the reward, refusing to acknowledge that it's a bug. Then he violates their ToS in order to get public attention to his mistreatment (essentially being scammed), they then acknowledge that he actually was right in the first place, but then still refuse his payment because now he has violated their ToS. Completely ignoring the fact that they broke their promise first, and that he should have received his payment before he had to resort to breaking the ToS. That is dickish, even if it's legal (which I doubt).

 

[Legion]

Assuming we take everything Facebook said as fact, I do not see the issue.

He posted a report, which was good of him. His report did not have enough details for them to reproduce the issue he claimed to have found (which is necessary to fix it), so they ignored it. Rather than providing more details as to how he accomplished it he decided to break the rules and use the exploit to show them, rather than choose to explain it.

They probably get thousands of these kinds of things a day. If somebody claims to have found a bug but doesn't properly explain what it is, then what should Facebook do? They have countless other people doing the same thing and have limited resources, so naturally they are going to focus on those who put the time in to give sufficient details.

If we take what he said as fact, then he was still in the wrong for doing it, because he was not entitled to break the rules just to prove there was an exploit, but Facebook should accept that they have been done a favour and be grateful for it. It's much better to have a guy break the rules harmlessly to show an exploit than to have it go unchecked after all.

 

[Strazdas]

in other words:

facebook bragged like a jersey shore guido around and when they got some teeth punched out they say it was an accident and totally not some other Bro/dudette.

here is a demo hack from the guy

Wait, he just firebug the IDs? and thats it? really there is no privacy check when sending such message? wow i wouldnt even think FB would have such a hole. almost makes me want to tregister just to see what other stupidty facebook left open.

 

[Madgamer13]

"If your house is on fire, the person who throws a brick through your window when you don't respond to a knock isn't a vandal. He's your best damn friend."

Out of all of those who have responded to my comment, yours is by far the best. You've explained the importance of the security of Facebook, which holds lots and lots of sensitive information, as well as the grace of this hacker exposing something that needs to be fixed as soon as possible.

But fixing that hole in the system is the job of Facebook's programmers, not the hacker. Exposing the exploit by abusing it and posting the details only makes what was previously unknown now available to more malicious individuals, before Facebook's programmers get the chance to address it.

If it is Facebook's judgement to ignore calls about a very real exploit, then that is their call. It is not right of them, I know, but forcing their hand by exploiting their system against them only places the exploit into the hands of others. Now I would ask; Now that the exploit has been exposed, what do you think will happen if they cannot patch it in time for someone with malicious intent to utilize it? Remember that they are now on a time limit before someone, somewhere does, all thanks to this hacker.

If I was in the Hacker's position, I would continually report the exploit to Facebook's support team until they damn well fixed it. I definitely wouldn't showcase it or explain how you could do it within the public arena.

People here are getting one thing wrong though, I am not defending Facebook just because they are 'big and successful' I'm defending the importance of the integrity of their system and proper, due process. I lash against this hacker's actions because he went outside of the system to place undue importance in something that needed to stay in-dev and private to Facebook, not outside where any old idiot can use it to spam adverts on your private wall.

I've specifically quoted this particular part of your reply above, because I think that you are looking at these circumstances in the wrong way. If you would permit me to use your own words, I would say that Facebook is not a house, it isn't on fire and the guy who just smashed in the window did so because he could and showed everyone around him how to do it.

 

[Zer0Saber]

Oh just pay the fucking guy.......Dicks.

 

[Kargathia]

They're fully within their rights refusing him payment, but the moment he went public by pasting it across Zuckerberg's page it went potentially viral.
At that point concerns about not rewarding people for violating your ToS are vastly superceded by the PR implications of how your reaction comes across to millions of onlookers - especially as Facebook is such a consumer-oriented company.

Personally I'd probably pay him for pointing out the glitch, and then ban him. You avoid looking like an ass in the latest viral storm in a teacup, while retaining the validity of your ToS.

Doesn't quite cover the situation. Virtually any bad PR is more costly than $500 to a large public company, but that's ignoring a possible reason behind why they would bother to refuse payment based on ToS in the first place.

On the one hand, they get bad PR if they do what they're doing now. On the other hand, if they do pay the guy, they set a bad precedent and undermine the guidelines set forth for their whitehat program. If they do that, they're basically saying that strictly following the proper procedure is not required, that it is okay to publically embarass Facebook to prove your point, and still get paid for your trouble. That is a very bad message to send. Whether it's worse than the bad PR for not doing so is not a decision I would envy making.

It's definitely a bit of a tight bind, but I'm somewhat sceptical about just how much of an influence condoning the violation of the ToS to point out flaws will have on hackers, white-hat or otherwise. The threat of a ban - and often even legal action - is laughable when compared to the e-peen points awarded for slamming mud on Facebook's face in such a public fashion.

The credibility of the white-hat program is much more important than whether or not a message is being sent that violating the ToS is ok when making a point about exploits. Hackers publicly demonstrating their exploit is far from the worst case scenario here; that spot is reserved by potential white-hat hackers instead selling the exploit to criminals.

They always could've adjusted the white-hat program's terms to specifically mention that publicly demonstrating your exploit forfeits all rights of payment, but only after they paid Shreateh.

Right now they've probably handled this in the worst possible way, as they've set themselves up for a viral shitstorm of bad PR. Severity only dependent on the incredible fickle attention span of the internet.
Just paying the guy tenfold the original reward, and getting him to sign a NDA in return would have been a preferable course of action here.

 

[Alorxico]

If you ever wanted proof that Facebook was run by complete ****s, then here it is!

 

[Vegosiux]

Okay.

There was a guy over here who discovered a vulnerability in the electronic transactions system of one of our banks. That was....whoa, more than a decade ago. October 2002, in fact.

He designed a trojan and protection against said trojan, sent them to the bank, basically saying "I found your system is vulnerable to this script. And this is how you can prevent such abuses. I'm willing to sell this to you."

He did not end up a very rich man, thanked by the bank for helping them keep their system secure.

He ended up allegedly sending a bullet into his own brain (in a country where guns are extremely hard to get) after the bank had him charged with cyber-crime charges; oddly enough a month before he killed himself he made a press statement that he'd sue the bank the moment his innocence was established.

Been swept under the carpet since then, but...well, you know. Some things never change, and saving face seems to still be more important than owning up to your deficiencies and dealing with them.

There might be a trope for that. [http://tvtropes.org/pmwiki/pmwiki.php/Main/HaveYouToldAnyoneElse]