Risk
8/19/2013
11:28 AM
Connect Directly
RSS
E-Mail
50%
50%

Facebook Slaps Researcher Who Hacked Zuckerberg's Wall

No bug bounty for you, says social network, after rebuffed researcher demonstrates massive security flaw by posting to Facebook founder's own wall.

10 Facebook Features To Help You Get Ahead
10 Facebook Features To Help You Get Ahead
(click image for larger view)
Memo from Facebook to security researchers: Don't hack the boss's Facebook wall.

That's the gist of the company's response to Palestinian information security researcher Khalil Shreateh, who twice attempted to report a serious site vulnerability to the social network's White Hat team, only to have Facebook dismiss his reports when they couldn't be reproduced.

According to a blog post by Shreateh, the vulnerability, which he recently discovered, allowed him to post messages -- including photos and links -- to anyone's Facebook wall. That included Facebook walls that would have been private, with access restricted to anyone who wasn't "friends" with the accountholder.

Shreateh, who lists his occupation as being an unemployed information systems engineer, twice attempted to alert Facebook to the problem. He also included as a proof of concept a link to a private page to which he'd been able to post. The page belonged to Sarah Goodin, a close friend and former Harvard University classmate of Facebook CEO Mark Zuckerberg.

[ Hungry? Read Facebook Mobile Does Restaurant Reservations. ]

Both times, however, Facebook's security team replied that that it couldn't reproduce the problem. "Sorry this is not a bug," read one such email to Shreateh. As the security researcher tried to make clear, however, the bug couldn't be reproduced simply because Facebook's security team didn't have access rights to Goodin's wall -- they weren't "friends" on the social network.

Frustrated, Shreateh looked for a way to demonstrate the vulnerability to Facebook, and chose to do so by posting an arbitrary message to Zuckerberg's own wall. "Dear Mark Zuckerberg," began Shreateh's message. "Sorry for breaking your privacy and post (sic) to your wall, I has no other choice to make after all the reports I sent to Facebook team," continued Shreateh, who sent the message from his own Facebook account.

Shreateh also demonstrated the exploit in a video he recorded late Wednesday and posted to YouTube.

Posting to Zuckerberg's wall -- and possibly also because Shreateh used Edward Snowden's photograph as his profile image -- triggered a rapid response. Just minutes later, a Facebook security engineer messaged Shreateh, requesting more details about the vulnerability. A few minutes after that, however, Facebook suspended Shreateh's account.

In response to Shreateh requesting that his account be reactivated, Facebook said the suspension had been a precautionary measure. "When we discovered your activity we did not fully know what was happening. Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it," wrote a member of Facebook's security team. "We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue."

Facebook also told Shreateh that his technique for illustrating the vulnerability had disqualified him from the company's White Hat bug bounty program. "We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service," wrote Facebook's security team.

Indeed, Facebook's "responsible disclosure policy" says that any payout is contingent on researchers not making any vulnerability details public until after the social network has put a fix in place. In return, Facebook agrees to -- in effect -- indemnify anyone who shares vulnerability information. "If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you," according to Facebook's policies.

Still, did the social network do the right thing with its handling of Shreateh? "I have to admit that I have some sympathy with Facebook on this issue," said independent security researcher Graham Cluley on his blog. "Although he was frustrated by the response from Facebook's security team, Shreateh did the wrong thing by using the flaw to post a message on Mark Zuckerberg's wall."

"Instead, he might have been wiser to go back (again) to Facebook's Security team with more evidence of the flaw, explaining the problem more clearly and perhaps including more information as to its impact," Cluley said. "If he was still not happy with their response, a technology journalist should perhaps have been his next port of call."

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
TomW925
50%
50%
TomW925,
User Rank: Apprentice
8/19/2013 | 4:20:51 PM
re: Facebook Slaps Researcher Who Hacked Zuckerberg's Wall
If he wanted a job working with Facebook, this was a bad idea. If he wanted a job working in another company's white hat debt, this was a good idea.

"A grey hat hacker is a combination of a black hat and a white hat
hacker. A grey hat hacker may surf the internet and hack into a computer
system for the sole purpose of notifying the administrator that their
system has a security defect, for example. Then they may offer to
correct the defect for a fee.[11]"
DewiT423
50%
50%
DewiT423,
User Rank: Apprentice
8/19/2013 | 4:24:14 PM
re: Facebook Slaps Researcher Who Hacked Zuckerberg's Wall
Lord how cheap can Facebook owners be? They refuse to give him 500 USD bounty and Zuckerburg's sister who is a billionaire in her right advertises for an unpaid assistant. Zuckerburg only tries to keep the cash but not spread it around, otherwise why does he only want the cheap HB1 Visa holders rather than hire good ole American citizens.
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
8/19/2013 | 5:07:32 PM
re: Facebook Slaps Researcher Who Hacked Zuckerberg's Wall
I have to agree with TomW925. This guy will be employed by another company very soon.

But I'll also agree with Facebook on one thing: Shreateh's method of getting his point across, including using a photo of Snowden, was a terrible idea.
Userlevel6
50%
50%
Userlevel6,
User Rank: Apprentice
8/19/2013 | 5:13:20 PM
re: Facebook Slaps Researcher Who Hacked Zuckerberg's Wall
There's one more reason I'll never be involved with anything related to Facebook, so long as I still have a choice. Facebook is evil. Evil, greedy, and a total waste of time.
RobinR264
50%
50%
RobinR264,
User Rank: Apprentice
8/19/2013 | 6:39:44 PM
re: Facebook Slaps Researcher Who Hacked Zuckerberg's Wall
Facebook Zucks
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4734
Published: 2014-07-21
Cross-site scripting (XSS) vulnerability in e107_admin/db.php in e107 2.0 alpha2 and earlier allows remote attackers to inject arbitrary web script or HTML via the type parameter.

CVE-2014-4960
Published: 2014-07-21
Multiple SQL injection vulnerabilities in models\gallery.php in Youtube Gallery (com_youtubegallery) component 4.x through 4.1.7, and possibly 3.x, for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) listid or (2) themeid parameter to index.php.

CVE-2014-5016
Published: 2014-07-21
Multiple cross-site scripting (XSS) vulnerabilities in LimeSurvey 2.05+ Build 140618 allow remote attackers to inject arbitrary web script or HTML via (1) the pid attribute to the getAttribute_json function to application/controllers/admin/participantsaction.php in CPDB, (2) the sa parameter to appl...

CVE-2014-5017
Published: 2014-07-21
SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipants_json, related to a search parameter...

CVE-2014-5018
Published: 2014-07-21
Incomplete blacklist vulnerability in the autoEscape function in common_helper.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to conduct cross-site scripting (XSS) attacks via the GBK charset in the loadname parameter to index.php, related to the survey resume.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.