Security Community Raises $12k For Researcher Snubbed By Facebook 95
Trailrunner7 writes "Like most major Web and software companies, Facebook receives a lot of bug reports. And since the company started its bug bounty program, security researchers have become even more interested in looking for vulnerabilities in the Facebook ecosystem. But, as one researcher learned recently, not all bugs are created equal, and Facebook doesn't like people messing with its users – or its executives. That researcher, Khalil Shreateh, discovered a bug in the Facebook platform that enabled him – or any other user – to post comments on the walls of other users who aren't their friends. That shouldn't be possible under normal circumstances, so Shreateh reported the problem to Facebook through its bug bounty program, hoping to earn a reward from the company. Instead, the company told him he didn't provide enough information. So Shreateh went a step further and demonstrated the technique by posting a message to the wall of Facebook founder Mark Zuckerberg. On Aug. 19, after details of the incident became public, Marc Maiffret, a well-known security researcher and CTO of BeyondTrust, started a crowdfunding campaign to get Shreateh a reward for his work. As of Aug. 23, that campaign has raised more than $12,000 and Maiffret is in the process of transferring the funds to the researcher."
Zuck, pay up (Score:5, Insightful)
nothing more to say
Re:Zuck, pay up (Score:5, Funny)
nothing more to say
Zuck doesn't like to pay up, ask any Winklevoss you meet, they'll tell ya.
Re: (Score:2)
ask any Winklevoss you meet
*ahem* I believe the correct term is Winklevi
Re: (Score:2)
ask any Winklevoss you meet
*ahem* I believe the correct term is Winklevi
"Winklevi powers Activate! Form of a lawsuit!"
I dunno, not sure it's really working for me. :-/
Re: (Score:1, Funny)
It doesn't work unless you fist-bump your twin as you say it...
Re: (Score:2)
More likely Winklevöss or Winklevossen
Re:Zuck, pay up (Score:4, Funny)
Re: (Score:2)
Comment removed (Score:4, Insightful)
Re: (Score:1)
Re:Probably pointless (Score:5, Informative)
Re:Probably pointless (Score:5, Informative)
Technically he was arrested for breaking and entering, as he had to gain physical access to networking equipment to download JSTOR's documents in bulk.
He was later charged with wire fraud and computer fraud. He didn't just try to download stuff, he actively worked around being blocked when they detected him... over a period of several weeks. He would get blocked and then modify his MAC to get a new IP and start again. He bought a throw away computer and named it Gary Host (GHOST). They eventually blocked entire chunks of the MIT network to stop him... thus he resorted to directly accessing some networking equipment in a restricted area and was filmed doing so while trying to hide his face.
What he did is wrong. Read the indictment. [mit.edu]
Of course, the overreaction of charges and potential sentences were also wrong. But there is no doubt that he was doing illegal things and he KNEW they were illegal and actively took measures to avoid being identified or caught.
Re: (Score:2)
Of course, the overreaction of charges...
They tarred and feathered him for essentially pulling a digital, although an illgal, prank. He was facing serious prison time becuase 1) it was a "hacker" type digital age crime, 2) it embarrassed MIT and the Fed, 3) The Man's reaction to ANY infringement of ANY penal violation is slowly but with increasing pace plain, bald-faced, incarceration; becuase it saves time and money in the short term with an overburdened court system and a legislative branch that measures its productivity in terms of number of b
Re: (Score:2)
But there is no doubt that he was doing illegal things and he KNEW they were illegal and actively took measures to avoid being identified or caught.
I'll bet if you watched closely enough, that would describe everybody.
Did you know it's now illegal to use a pellet gun in city limits? I did that all the time as a kid (no, not shooting windows! :-).
Re: (Score:2)
But there is no doubt that he was doing illegal things and he KNEW they were illegal and actively took measures to avoid being identified or caught.
I'll bet if you watched closely enough, that would describe everybody.
I don't know anyone that isn't aware that breaking and entering is a crime.
Breaking and entering, to steal back stuff that was his and was stolen/misappropriated. You go ahead and hire a lawyer and rely on your pathetically flawed legal system. The rest of us have better things to do than futz with entitled morons.
"The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser people so full of doubts." -- Bertrand Russell
Re: (Score:3)
Of course, the overreaction of charges and potential sentences were also wrong. But there is no doubt that he was doing illegal things and he KNEW they were illegal and actively took measures to avoid being identified or caught.
You know, way (way) back when I was in college, there was a really bright student who could circumvent the all local security measures. The CS department simply offered him a job - and he accepted (to the mutual benefit of the student and department).
"Without Authorization" (Score:3, Informative)
This has been true since the late 80s, see the Computer Fraud and Abuse Act.
Re: (Score:1)
The CFAA has been used to prosecute, in this manner, for many years. The ToS defines authorized access and unauthorized access is illegal under the CFAA.
Re:Probably pointless (Score:5, Insightful)
He didn't steal the money, nor did he use the bug to get it. It will be a gift from an unconnected 3rd party. Not too sure how this will be a criminal act. Even if they could do it, the only way they could block it is via lawsuit. Unless Facecook has also become a an arm of law enforcement.
On a more cogent point; you'd think the hip geeks at facebook would have heard of the Streisand Effect, demonstrated over and over again in these cases.
My girlfriend keeps asking me why I don't apply at facebook,
Re: (Score:2)
You should tell her that it's because you have a conscience.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
It doesn't work like that. If what he did is a crime, then the money raised and then given to him is profit as a direct result of that crime. Which isn't allowed.
Deserved? (Score:1)
I'd be interested in seeing his report, to see if he really did provide enough info or not on the bug. For $12K you ought to take the time to be pretty thorough in providing a reproducible bug report.
Re:Deserved? (Score:4, Interesting)
I'd be interested in seeing his report, to see if he really did provide enough info or not on the bug. For $12K you ought to take the time to be pretty thorough in providing a reproducible bug report.
I would also like to see this. The reports on this are inconsistent. At first I heard that Facebook "ignored him". Now I am hearing that they "asked for additional information" (which he either did or didn't provide - nobody knows?).
A better way for Facebook to handle this in the future, would be to set up some sandbox "hack me" accounts. Then someone with an exploit can demonstrate it, and ensure they will be taken seriously.
Re: (Score:2)
A better way for Facebook to handle this in the future, would be to set up some sandbox "hack me" accounts. Then someone with an exploit can demonstrate it, and ensure they will be taken seriously.
And any publicly available honeypot would need monitoring, espeically if it's running close-to-production codebase, as that will essentially give blackhats the perfect place to demo their exploits.
Re:Deserved? (Score:5, Insightful)
I'd be interested in seeing his report, to see if he really did provide enough info or not on the bug.
See the previous story from a few days ago here. The bug report was complete crap, and barely distinguishable from spam. It was ALSO a legitimate bug that he was reporting AND he inappropriately spammed a third-party's wall with it.
That said Facebook WRONGLY deactivated his account when he posted on Zuck's wall AND they quickly reinstated it when they found out what was actually going on.
Assuming they fixed the bug, he ALSO deserves the bug bounty reward.
There's no good-guy, bad-guy Hollywood story here - it was a bunch of bad communication all around that resulted in a narrative that sold page views. I know, that doesn't make for an emotional after-school special.
Re: (Score:1)
That said Facebook WRONGLY deactivated his account when he posted on Zuck's wall AND they quickly reinstated it when they found out what was actually going on.
How is it that they wrongly deactivated his account? He exploited a bug and used it to post on someone else's wall, just like any spammer would have. It's clearly fair to deactivate while investigating further to block him from using the exploit on anyone else.
Re: (Score:2)
The only reason why the bug was exploited was to show the FB team what the bug was. Not only that but get said something like, "I posted in a place i shouldn't be able to and it is a bug that i am reporting". He was cooperating and bringing an issue to FB. Why assume he's a spammer at all?
Re: (Score:2)
Wait, is that really all it was?
There is no reproduction there, just a one sentence description of what happened.
Did he expect Facebook to trawl through their server code and logs to figure out for themselves what he did?
Re: (Score:2)
I would at least expect them to ask him how he did it. Not just ignore that he was able to do something that should be impossible.
his report: "there is a bug :broken link:" (Score:5, Insightful)
He posted his "bug report". It was a few words, just saying "there is a bug" with no hint of what bug or what the exploit could possibly be. It then had a broken link to an uninteresting post, a post that was private.
To my mind, it doesn't even qualify for the complaint department, much less was it anything close to being a proper report of a security issue.
Further, in response to Facebook comments pointing out that his message was very hard to read due to the pre-school level grammar, spelling, and use of capitals, he said "don caar nver fic red undrlin words" (or something to that effect), so he KNOWS his messages are nearly unreadable and he "don caar". If I get a message where the spelling is completely wrong, the grammar is completely wrong, and the use of capitals is completely wrong, I'd probably suspect that the claim is completely wrong as well.
Re: (Score:2)
The link was not broken, it demonstrated that the bug was indeed there. The Facebook imbeciles didn't follow through with proper administrative access: they had to view the private profile of a third party, you can't just do that without being logged in administrative impersonation mode. I mean, how stupid can one be?
Re:his report: "there is a bug :broken link:" (Score:4, Insightful)
The point of a bug report is to provide information to allow a flaw to be fixed, not to simply brag about having found a problem.
This isn't a useful bug report "This page demonstrates that I was able to bypass your security and tamper with one of your pages."
This is a useful bug report "I was able to bypass your security by sending the following malformed request to your server..."
Bug bounties are generally only offered for the latter.
Re: (Score:2)
Man, if they can't get the log for exactly what transpired when they see a messed up entry, they are fucked already.
Re: (Score:2)
Man, if they can't get the log for exactly what transpired when they see a messed up entry, they are fucked already.
Maybe they can, but that doesn't mean that they have to pay him for it.
They're paying for useful bug reports, not giving rewards to people who hack their website.
broken for anyone but admin, demonstrated nothing (Score:3)
Yes, a system admin could use administrative powers to log in as the target user and would have seen a random youtube video posted on somebody's wall. Which demonstrates nothing without an explanation of what it's supposed to demonstrate.
To the helldesk graduate reading his message, and to anyone else, it was a broken link - an error saying "no such page".
The Facebook rep should have asked for further information - and that's exactly what they did.
Re: (Score:2)
The bug report can be found on the reporters blog:
http://khalil-sh.blogspot.ru/p/facebook_16.html [blogspot.ru]
It's actually pretty shitty and does not even explain anything. Facebook had nothing to go off of except a basic description. The summary of this article has more detail than the reporter provided to Facebook.
Re: (Score:2)
Facebook isn't going to pay money if someone tells them there's a bug. They know there are plenty of bugs. They are going to pay if you give them information that helps them fixing a bug, and what he posted didn't help them in any way.
communication skills (Score:2)
Not trying to play devil's advocate here but any vulnerability researcher must understand that finding flaws is only half of the job. You must also be able to successfully explain and make understand each flaw to even non-technical people or your work is somewhat worthless.
Now it's true that one can expect a reasonable technical skill from the Facebook person reviewing your bug submissions, but they also, as they stated [facebook.com], go through a lot of invalid and spurious submissions a day.
So in case you are hoping fo
Re:communication skills (Score:4)
Bull shit, if you have non-technical people running your bug bounty, then you have lost, they will be paying for things that aren't bugs and ignoring others.
"If I do X, Y happens, repeatedly. Y should not ever happen"
You shouldn't have to do more than that to report a bug for a bug bounty program.
Re: (Score:2)
Except he did not do that, he just said he found a way to post on other people's timelines.
There is nothing about the steps he took, or why it might be happening.
http://khalil-sh.blogspot.ru/p/facebook_16.html [blogspot.ru]
Re: (Score:2)
Bull shit, if you have non-technical people running your bug bounty....
C'mon, read his bug report there was no "if this, then that" in his post, when you translate the teenage gibberish into low level techno-babble it basically says "pwned - pay up". I'm no fan of FB but this guy is on an ego trip and wanted to make headlines for himself at FB's expense, a developer I worked with in the 90's used to do a similar thing when printing out code for code reviews, he would hide an innocuous comment somewhere in 100K lines that said something like "This line has been inserted to test
Slashdot ate my post... (Score:2)
Re: (Score:1)
Re: (Score:2)
No, Mossad/Al Queda is going to plant three new surface to air missile launchers.
FTFM :)
PR failure (Score:5, Insightful)
Re: (Score:1)
Researcher? (Score:2, Offtopic)
Re:Researcher? (Score:5, Insightful)
In the real world, a "researcher" is someone who works to rigorous academic standards writing and publishing original scholarship.
In the "IT security" world, a "researcher" is someone who finds that complex code isn't perfect and thinks himself important for making such a find.
Re: (Score:2)
in the "IT security" world, the average "researcher" is a "hacker", but we aren't allowed to use that word anymore without going to jail, so now everything is under "security researcher" regardless of how professional it is.
Pretty much like how bloggers have decided to hide out under the 'journalist' umbrella after blogger came to mean 'person with narcissism, brain diarrhea, and the internet'. Now they are watering down the meaning of jouralism, but the word still has some shreds of credibility.
Nice effort, but sets a bad precedent (Score:5, Insightful)
The problem is, by third parties paying him, it sets a precedent for rewarding Facebook's bad behavior. Make no mistake - the same idiots that refused the payout and who whitewashed it by claiming a ToS violation will be the same ones watching this effort and wondering how much more they can get away with.
Ultimately, this is bad business practice for Facebook because this strategy will devolve into grey hats and black hats going for the jugular every time, and less white hats trying to do the right thing. Or maybe this just means people will realize on their own what I keep telling them - avoid using Facebook wherever possible. That will, unfortunately, be found out the hard way during the next big publicized data breach.
Re: (Score:2)
Nah. Now everybody knows that instead of getting $500 from Facebook telling them about their bugs, they can get $12k from the community by just hacking them directly.
Re: (Score:2)
Not really... ,beyond what is in the title of this summary.
If you actually read his report, there is nothing to it
http://khalil-sh.blogspot.ru/p/facebook_16.html [blogspot.ru]
The reproduction steps are entirely gone, there is nothing there for a Dev to go in and investigate with.
--------------
repro:
the vulnerability allow's facebook users to share posts to non friends facebook users , i made a post to sarah.goodin timeline and i got success post
link - > https://www.facebook.com/10151857333098885 [facebook.com]
of course you may cant
Zero Day Facebook Attack? (Score:2)
Looks like it would be better to just sell to umm someone rather than try report to facebook for $500.
Of the 12,000 (Score:2)
How much of that is "Screw you, Facebook" dollars?
Re: (Score:3)
Re: (Score:1)
Even $1 of "screw you, Facebook" money must taste indescribably sweet.
I'm jaded on this (Score:3)
One one hand, as he says he could've made a ton of money selling this hack to a spammer and ended up harassing MILLIONS of users. On the other hand, hacking a CEOs account isn't the most diplomatic or responsible way to handle the situation and it sounds like his English is a little rough. If you're a locksmith, staging a break-in probably isn't the best way to get a bank's business.
Re: (Score:2)
If you're a locksmith, staging a break-in probably isn't the best way to get a bank's business.
Except that this "bank" explicitly says it will reward people who can bypass the lock. I think it is more like " If you're a locksmith, staging a break-in into the director's office probably isn't the best way to get a bank's business."
Re: (Score:2)
Why doesn't facebook set up an account which security researchers ARE allowed to hack.
They could even monitor the account to get as much information as soon as possible when a hack is reported.
Re: (Score:3)
He already hacked someone's account, they didn't care (the "not a bug" reply) - it apparently wasn't a person important enough. They acted like idiots. That's all. Does it take a fucking genius to understand that there is a language barrier and to do the due diligence?
Re: (Score:2)
Ok, I'm getting tired of this "hacked Mark Z's account" characterization. It didn't happen.
This guy posted to a Mark Z's wall. He shouldn't have been able to, but there's no indication that he gained permissions to the account, changed the account settings, or had access to information marked anything other than public in connection with the accoun
Glad I don't use Facebook (Score:4, Insightful)
Re: (Score:1)
Also, sort of a part time job you don't get paid for.
That's why I prefer slashdot. It's less of a part time job and more of a low-quality contracting thing I do on the side when I'm bored.
Spend the money well (Score:2)
I hope they take part of that money and set it up as a reward for publically disclosing Facebook vulnerabilities online.
That way those security researchers can still get some kind of a reward if Facebook doesn't take them seriously.
And, more importantly, Facebook will be forced to take them more seriously in the future.
that 12K should cover at least some of the court c (Score:2)
that 12K should cover at least some of the court costs and fees.
Chosen People (Score:2, Insightful)
Re: (Score:2)
Had Mr. Shreateh not been Palestinian, I'm forced to wonder if Mr. Facebook's reaction would have been different.
The bug report that he sent them was totally useless and not worth a penny. I suppose "close friend of Zukerberg" would have helped getting paid, but "white male American" wouldn't.