Risk
8/19/2013
11:28 AM
50%
50%

Facebook Slaps Researcher Who Hacked Zuckerberg's Wall

No bug bounty for you, says social network, after rebuffed researcher demonstrates massive security flaw by posting to Facebook founder's own wall.

10 Facebook Features To Help You Get Ahead
10 Facebook Features To Help You Get Ahead
(click image for larger view)
Memo from Facebook to security researchers: Don't hack the boss's Facebook wall.

That's the gist of the company's response to Palestinian information security researcher Khalil Shreateh, who twice attempted to report a serious site vulnerability to the social network's White Hat team, only to have Facebook dismiss his reports when they couldn't be reproduced.

According to a blog post by Shreateh, the vulnerability, which he recently discovered, allowed him to post messages -- including photos and links -- to anyone's Facebook wall. That included Facebook walls that would have been private, with access restricted to anyone who wasn't "friends" with the accountholder.

Shreateh, who lists his occupation as being an unemployed information systems engineer, twice attempted to alert Facebook to the problem. He also included as a proof of concept a link to a private page to which he'd been able to post. The page belonged to Sarah Goodin, a close friend and former Harvard University classmate of Facebook CEO Mark Zuckerberg.

[ Hungry? Read Facebook Mobile Does Restaurant Reservations. ]

Both times, however, Facebook's security team replied that that it couldn't reproduce the problem. "Sorry this is not a bug," read one such email to Shreateh. As the security researcher tried to make clear, however, the bug couldn't be reproduced simply because Facebook's security team didn't have access rights to Goodin's wall -- they weren't "friends" on the social network.

Frustrated, Shreateh looked for a way to demonstrate the vulnerability to Facebook, and chose to do so by posting an arbitrary message to Zuckerberg's own wall. "Dear Mark Zuckerberg," began Shreateh's message. "Sorry for breaking your privacy and post (sic) to your wall, I has no other choice to make after all the reports I sent to Facebook team," continued Shreateh, who sent the message from his own Facebook account.

Shreateh also demonstrated the exploit in a video he recorded late Wednesday and posted to YouTube.

Posting to Zuckerberg's wall -- and possibly also because Shreateh used Edward Snowden's photograph as his profile image -- triggered a rapid response. Just minutes later, a Facebook security engineer messaged Shreateh, requesting more details about the vulnerability. A few minutes after that, however, Facebook suspended Shreateh's account.

In response to Shreateh requesting that his account be reactivated, Facebook said the suspension had been a precautionary measure. "When we discovered your activity we did not fully know what was happening. Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it," wrote a member of Facebook's security team. "We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue."

Facebook also told Shreateh that his technique for illustrating the vulnerability had disqualified him from the company's White Hat bug bounty program. "We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service," wrote Facebook's security team.

Indeed, Facebook's "responsible disclosure policy" says that any payout is contingent on researchers not making any vulnerability details public until after the social network has put a fix in place. In return, Facebook agrees to -- in effect -- indemnify anyone who shares vulnerability information. "If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you," according to Facebook's policies.

Still, did the social network do the right thing with its handling of Shreateh? "I have to admit that I have some sympathy with Facebook on this issue," said independent security researcher Graham Cluley on his blog. "Although he was frustrated by the response from Facebook's security team, Shreateh did the wrong thing by using the flaw to post a message on Mark Zuckerberg's wall."

"Instead, he might have been wiser to go back (again) to Facebook's Security team with more evidence of the flaw, explaining the problem more clearly and perhaps including more information as to its impact," Cluley said. "If he was still not happy with their response, a technology journalist should perhaps have been his next port of call."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RobinR264
50%
50%
RobinR264,
User Rank: Apprentice
8/19/2013 | 6:39:44 PM
re: Facebook Slaps Researcher Who Hacked Zuckerberg's Wall
Facebook Zucks
Userlevel6
50%
50%
Userlevel6,
User Rank: Apprentice
8/19/2013 | 5:13:20 PM
re: Facebook Slaps Researcher Who Hacked Zuckerberg's Wall
There's one more reason I'll never be involved with anything related to Facebook, so long as I still have a choice. Facebook is evil. Evil, greedy, and a total waste of time.
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
8/19/2013 | 5:07:32 PM
re: Facebook Slaps Researcher Who Hacked Zuckerberg's Wall
I have to agree with TomW925. This guy will be employed by another company very soon.

But I'll also agree with Facebook on one thing: Shreateh's method of getting his point across, including using a photo of Snowden, was a terrible idea.
DewiT423
50%
50%
DewiT423,
User Rank: Apprentice
8/19/2013 | 4:24:14 PM
re: Facebook Slaps Researcher Who Hacked Zuckerberg's Wall
Lord how cheap can Facebook owners be? They refuse to give him 500 USD bounty and Zuckerburg's sister who is a billionaire in her right advertises for an unpaid assistant. Zuckerburg only tries to keep the cash but not spread it around, otherwise why does he only want the cheap HB1 Visa holders rather than hire good ole American citizens.
TomW925
50%
50%
TomW925,
User Rank: Apprentice
8/19/2013 | 4:20:51 PM
re: Facebook Slaps Researcher Who Hacked Zuckerberg's Wall
If he wanted a job working with Facebook, this was a bad idea. If he wanted a job working in another company's white hat debt, this was a good idea.

"A grey hat hacker is a combination of a black hat and a white hat
hacker. A grey hat hacker may surf the internet and hack into a computer
system for the sole purpose of notifying the administrator that their
system has a security defect, for example. Then they may offer to
correct the defect for a fee.[11]"
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

CVE-2014-8711
Published: 2014-11-22
Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?