Risk
8/19/2013
11:28 AM
50%
50%

Facebook Slaps Researcher Who Hacked Zuckerberg's Wall

No bug bounty for you, says social network, after rebuffed researcher demonstrates massive security flaw by posting to Facebook founder's own wall.

10 Facebook Features To Help You Get Ahead
10 Facebook Features To Help You Get Ahead
(click image for larger view)
Memo from Facebook to security researchers: Don't hack the boss's Facebook wall.

That's the gist of the company's response to Palestinian information security researcher Khalil Shreateh, who twice attempted to report a serious site vulnerability to the social network's White Hat team, only to have Facebook dismiss his reports when they couldn't be reproduced.

According to a blog post by Shreateh, the vulnerability, which he recently discovered, allowed him to post messages -- including photos and links -- to anyone's Facebook wall. That included Facebook walls that would have been private, with access restricted to anyone who wasn't "friends" with the accountholder.

Shreateh, who lists his occupation as being an unemployed information systems engineer, twice attempted to alert Facebook to the problem. He also included as a proof of concept a link to a private page to which he'd been able to post. The page belonged to Sarah Goodin, a close friend and former Harvard University classmate of Facebook CEO Mark Zuckerberg.

[ Hungry? Read Facebook Mobile Does Restaurant Reservations. ]

Both times, however, Facebook's security team replied that that it couldn't reproduce the problem. "Sorry this is not a bug," read one such email to Shreateh. As the security researcher tried to make clear, however, the bug couldn't be reproduced simply because Facebook's security team didn't have access rights to Goodin's wall -- they weren't "friends" on the social network.

Frustrated, Shreateh looked for a way to demonstrate the vulnerability to Facebook, and chose to do so by posting an arbitrary message to Zuckerberg's own wall. "Dear Mark Zuckerberg," began Shreateh's message. "Sorry for breaking your privacy and post (sic) to your wall, I has no other choice to make after all the reports I sent to Facebook team," continued Shreateh, who sent the message from his own Facebook account.

Shreateh also demonstrated the exploit in a video he recorded late Wednesday and posted to YouTube.

Posting to Zuckerberg's wall -- and possibly also because Shreateh used Edward Snowden's photograph as his profile image -- triggered a rapid response. Just minutes later, a Facebook security engineer messaged Shreateh, requesting more details about the vulnerability. A few minutes after that, however, Facebook suspended Shreateh's account.

In response to Shreateh requesting that his account be reactivated, Facebook said the suspension had been a precautionary measure. "When we discovered your activity we did not fully know what was happening. Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it," wrote a member of Facebook's security team. "We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue."

Facebook also told Shreateh that his technique for illustrating the vulnerability had disqualified him from the company's White Hat bug bounty program. "We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service," wrote Facebook's security team.

Indeed, Facebook's "responsible disclosure policy" says that any payout is contingent on researchers not making any vulnerability details public until after the social network has put a fix in place. In return, Facebook agrees to -- in effect -- indemnify anyone who shares vulnerability information. "If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you," according to Facebook's policies.

Still, did the social network do the right thing with its handling of Shreateh? "I have to admit that I have some sympathy with Facebook on this issue," said independent security researcher Graham Cluley on his blog. "Although he was frustrated by the response from Facebook's security team, Shreateh did the wrong thing by using the flaw to post a message on Mark Zuckerberg's wall."

"Instead, he might have been wiser to go back (again) to Facebook's Security team with more evidence of the flaw, explaining the problem more clearly and perhaps including more information as to its impact," Cluley said. "If he was still not happy with their response, a technology journalist should perhaps have been his next port of call."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RobinR264
50%
50%
RobinR264,
User Rank: Apprentice
8/19/2013 | 6:39:44 PM
re: Facebook Slaps Researcher Who Hacked Zuckerberg's Wall
Facebook Zucks
Userlevel6
50%
50%
Userlevel6,
User Rank: Apprentice
8/19/2013 | 5:13:20 PM
re: Facebook Slaps Researcher Who Hacked Zuckerberg's Wall
There's one more reason I'll never be involved with anything related to Facebook, so long as I still have a choice. Facebook is evil. Evil, greedy, and a total waste of time.
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
8/19/2013 | 5:07:32 PM
re: Facebook Slaps Researcher Who Hacked Zuckerberg's Wall
I have to agree with TomW925. This guy will be employed by another company very soon.

But I'll also agree with Facebook on one thing: Shreateh's method of getting his point across, including using a photo of Snowden, was a terrible idea.
DewiT423
50%
50%
DewiT423,
User Rank: Apprentice
8/19/2013 | 4:24:14 PM
re: Facebook Slaps Researcher Who Hacked Zuckerberg's Wall
Lord how cheap can Facebook owners be? They refuse to give him 500 USD bounty and Zuckerburg's sister who is a billionaire in her right advertises for an unpaid assistant. Zuckerburg only tries to keep the cash but not spread it around, otherwise why does he only want the cheap HB1 Visa holders rather than hire good ole American citizens.
TomW925
50%
50%
TomW925,
User Rank: Apprentice
8/19/2013 | 4:20:51 PM
re: Facebook Slaps Researcher Who Hacked Zuckerberg's Wall
If he wanted a job working with Facebook, this was a bad idea. If he wanted a job working in another company's white hat debt, this was a good idea.

"A grey hat hacker is a combination of a black hat and a white hat
hacker. A grey hat hacker may surf the internet and hack into a computer
system for the sole purpose of notifying the administrator that their
system has a security defect, for example. Then they may offer to
correct the defect for a fee.[11]"
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2208
Published: 2014-12-28
CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.

CVE-2014-2209
Published: 2014-12-28
Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.

CVE-2014-5386
Published: 2014-12-28
The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initial...

CVE-2014-6228
Published: 2014-12-28
Integer overflow in the string_chunk_split function in hphp/runtime/base/zend-string.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted arguments to the chunk_split ...

CVE-2014-6229
Published: 2014-12-28
The HashContext class in hphp/runtime/ext/ext_hash.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 incorrectly expects that a certain key string uses '\0' for termination, which allows remote attackers to obtain sensitive information by leveraging read access beyond the end of the string,...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.