Risk
8/19/2013
11:28 AM
50%
50%

Facebook Slaps Researcher Who Hacked Zuckerberg's Wall

No bug bounty for you, says social network, after rebuffed researcher demonstrates massive security flaw by posting to Facebook founder's own wall.

10 Facebook Features To Help You Get Ahead
10 Facebook Features To Help You Get Ahead
(click image for larger view)
Memo from Facebook to security researchers: Don't hack the boss's Facebook wall.

That's the gist of the company's response to Palestinian information security researcher Khalil Shreateh, who twice attempted to report a serious site vulnerability to the social network's White Hat team, only to have Facebook dismiss his reports when they couldn't be reproduced.

According to a blog post by Shreateh, the vulnerability, which he recently discovered, allowed him to post messages -- including photos and links -- to anyone's Facebook wall. That included Facebook walls that would have been private, with access restricted to anyone who wasn't "friends" with the accountholder.

Shreateh, who lists his occupation as being an unemployed information systems engineer, twice attempted to alert Facebook to the problem. He also included as a proof of concept a link to a private page to which he'd been able to post. The page belonged to Sarah Goodin, a close friend and former Harvard University classmate of Facebook CEO Mark Zuckerberg.

[ Hungry? Read Facebook Mobile Does Restaurant Reservations. ]

Both times, however, Facebook's security team replied that that it couldn't reproduce the problem. "Sorry this is not a bug," read one such email to Shreateh. As the security researcher tried to make clear, however, the bug couldn't be reproduced simply because Facebook's security team didn't have access rights to Goodin's wall -- they weren't "friends" on the social network.

Frustrated, Shreateh looked for a way to demonstrate the vulnerability to Facebook, and chose to do so by posting an arbitrary message to Zuckerberg's own wall. "Dear Mark Zuckerberg," began Shreateh's message. "Sorry for breaking your privacy and post (sic) to your wall, I has no other choice to make after all the reports I sent to Facebook team," continued Shreateh, who sent the message from his own Facebook account.

Shreateh also demonstrated the exploit in a video he recorded late Wednesday and posted to YouTube.

Posting to Zuckerberg's wall -- and possibly also because Shreateh used Edward Snowden's photograph as his profile image -- triggered a rapid response. Just minutes later, a Facebook security engineer messaged Shreateh, requesting more details about the vulnerability. A few minutes after that, however, Facebook suspended Shreateh's account.

In response to Shreateh requesting that his account be reactivated, Facebook said the suspension had been a precautionary measure. "When we discovered your activity we did not fully know what was happening. Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it," wrote a member of Facebook's security team. "We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue."

Facebook also told Shreateh that his technique for illustrating the vulnerability had disqualified him from the company's White Hat bug bounty program. "We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service," wrote Facebook's security team.

Indeed, Facebook's "responsible disclosure policy" says that any payout is contingent on researchers not making any vulnerability details public until after the social network has put a fix in place. In return, Facebook agrees to -- in effect -- indemnify anyone who shares vulnerability information. "If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you," according to Facebook's policies.

Still, did the social network do the right thing with its handling of Shreateh? "I have to admit that I have some sympathy with Facebook on this issue," said independent security researcher Graham Cluley on his blog. "Although he was frustrated by the response from Facebook's security team, Shreateh did the wrong thing by using the flaw to post a message on Mark Zuckerberg's wall."

"Instead, he might have been wiser to go back (again) to Facebook's Security team with more evidence of the flaw, explaining the problem more clearly and perhaps including more information as to its impact," Cluley said. "If he was still not happy with their response, a technology journalist should perhaps have been his next port of call."

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
TomW925
50%
50%
TomW925,
User Rank: Apprentice
8/19/2013 | 4:20:51 PM
re: Facebook Slaps Researcher Who Hacked Zuckerberg's Wall
If he wanted a job working with Facebook, this was a bad idea. If he wanted a job working in another company's white hat debt, this was a good idea.

"A grey hat hacker is a combination of a black hat and a white hat
hacker. A grey hat hacker may surf the internet and hack into a computer
system for the sole purpose of notifying the administrator that their
system has a security defect, for example. Then they may offer to
correct the defect for a fee.[11]"
DewiT423
50%
50%
DewiT423,
User Rank: Apprentice
8/19/2013 | 4:24:14 PM
re: Facebook Slaps Researcher Who Hacked Zuckerberg's Wall
Lord how cheap can Facebook owners be? They refuse to give him 500 USD bounty and Zuckerburg's sister who is a billionaire in her right advertises for an unpaid assistant. Zuckerburg only tries to keep the cash but not spread it around, otherwise why does he only want the cheap HB1 Visa holders rather than hire good ole American citizens.
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
8/19/2013 | 5:07:32 PM
re: Facebook Slaps Researcher Who Hacked Zuckerberg's Wall
I have to agree with TomW925. This guy will be employed by another company very soon.

But I'll also agree with Facebook on one thing: Shreateh's method of getting his point across, including using a photo of Snowden, was a terrible idea.
Userlevel6
50%
50%
Userlevel6,
User Rank: Apprentice
8/19/2013 | 5:13:20 PM
re: Facebook Slaps Researcher Who Hacked Zuckerberg's Wall
There's one more reason I'll never be involved with anything related to Facebook, so long as I still have a choice. Facebook is evil. Evil, greedy, and a total waste of time.
RobinR264
50%
50%
RobinR264,
User Rank: Apprentice
8/19/2013 | 6:39:44 PM
re: Facebook Slaps Researcher Who Hacked Zuckerberg's Wall
Facebook Zucks
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9710
Published: 2015-05-27
The Btrfs implementation in the Linux kernel before 3.19 does not ensure that the visible xattr state is consistent with a requested replacement, which allows local users to bypass intended ACL settings and gain privileges via standard filesystem operations (1) during an xattr-replacement time windo...

CVE-2014-9715
Published: 2015-05-27
include/net/netfilter/nf_conntrack_extend.h in the netfilter subsystem in the Linux kernel before 3.14.5 uses an insufficiently large data type for certain extension data, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via outbound network traffic that trig...

CVE-2015-2666
Published: 2015-05-27
Stack-based buffer overflow in the get_matching_model_microcode function in arch/x86/kernel/cpu/microcode/intel_early.c in the Linux kernel before 4.0 allows context-dependent attackers to gain privileges by constructing a crafted microcode header and leveraging root privileges for write access to t...

CVE-2015-2830
Published: 2015-05-27
arch/x86/kernel/entry_64.S in the Linux kernel before 3.19.2 does not prevent the TS_COMPAT flag from reaching a user-mode task, which might allow local users to bypass the seccomp or audit protection mechanism via a crafted application that uses the (1) fork or (2) close system call, as demonstrate...

CVE-2015-2922
Published: 2015-05-27
The ndisc_router_discovery function in net/ipv6/ndisc.c in the Neighbor Discovery (ND) protocol implementation in the IPv6 stack in the Linux kernel before 3.19.6 allows remote attackers to reconfigure a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message.

Dark Reading Radio
Archived Dark Reading Radio
After a serious cybersecurity incident, everyone will be looking to you for answers -- but you’ll never have complete information and you’ll never have enough time. So in those heated moments, when a business is on the brink of collapse, how will you and the rest of the board room executives respond?