August 19, 2013
Security Vigilante Posts Facebook Vulnerability On Zuckerberg’s Timeline
Peter Suciu for redOrbit.com – Your Universe Online
Palestinian IT expert Khalil Shreateh demonstrated a Facebook vulnerability by posting a bug report directly on company founder Mark Zuckerberg’s Timeline. This type of thing should have been restricted as the two aren’t friends, and Shreateh claims he took this drastic measure to prove to Facebook that the bug he discovered was in fact legitimate.Initially Shreateh tried to report the vulnerability through the security feedback page, which offered a minimum reward of $500 for each real security bug report. The security team failed to acknowledge the bug, and reportedly responded, “Sorry, this is not a bug.”
This began when he contacted the company stating that he was able to make posts to the page for Sarah Goodin – a friend of Mark Zuckerberg but not Shreateh – but as the security team was not friends with her either they only saw an error message.
As the researcher was reportedly told that his findings were not a bug, but an error, he opted to go straight to the top and posted the bug report on Zuckerberg’s page.
“Days ago i discovered a serious facebook vulnerability that allows a facebook user to post to all facebook users timeline even they are not in his friend list,” Shreateh posted on his blog, adding “i report that exploit through whitehat.”
In his initial reporting of the bug, Shreateh apparently tried to follow Facebook’s own procedures, but when he was unable to convince the security team of his findings he took matters into his own hands – and not surprisingly, that made the social network's security team take notice. As a result, the flaw was addressed and Shreateh’s account was suspended. Facebook software engineer Matt Jones said the account was disabled as a precautionary measure.
“When we discovered your activity we did not fully know what was happening,” Jones posted on his security blog. “Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it. We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue. When you submit reports in the future, we ask you to please include enough detail to repeat your actions.”
While Jones and Facebook’s security team now recognize and even acknowledge the vulnerability, Shreateh won’t get a reward.
“We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service,” Jones noted. “We do hope, however, that you continue to work with us to find vulnerabilities in the site.”
By posting on Zuckerberg’s timeline, Shreateh apparently violated those terms of service in addition to not following protocol for reporting security flaws. In fact, Facebook requires that bug testing be done on test accounts, so by posting not only on Zuckerberg’s timeline but that of Goodin as well, Shreateh's vigilante testing violated the terms of service.
Jones did, however, note that Facebook's security team should have asked for more details, and also acknowledged that the language barrier was an issue.
“Many of our best reports come from people whose English isn’t great - though this can be challenging, it’s something we work with just fine and we have paid out over $1 million to hundreds of reporters. However, many of the reports we get are nonsense or misguided.”
It should also be pointed out that Facebook’s own disclosure rules are posted only in English, which is not Shreateh’s first language. As a result of this language barrier the amateur security expert is out $500, but he certainly got the attention of Zuckerberg and Facebook.