Risk
8/19/2013
11:28 AM
Connect Directly
RSS
E-Mail
50%
50%

Facebook Slaps Researcher Who Hacked Zuckerberg's Wall

No bug bounty for you, says social network, after rebuffed researcher demonstrates massive security flaw by posting to Facebook founder's own wall.

10 Facebook Features To Help You Get Ahead
10 Facebook Features To Help You Get Ahead
(click image for larger view)
Memo from Facebook to security researchers: Don't hack the boss's Facebook wall.

That's the gist of the company's response to Palestinian information security researcher Khalil Shreateh, who twice attempted to report a serious site vulnerability to the social network's White Hat team, only to have Facebook dismiss his reports when they couldn't be reproduced.

According to a blog post by Shreateh, the vulnerability, which he recently discovered, allowed him to post messages -- including photos and links -- to anyone's Facebook wall. That included Facebook walls that would have been private, with access restricted to anyone who wasn't "friends" with the accountholder.

Shreateh, who lists his occupation as being an unemployed information systems engineer, twice attempted to alert Facebook to the problem. He also included as a proof of concept a link to a private page to which he'd been able to post. The page belonged to Sarah Goodin, a close friend and former Harvard University classmate of Facebook CEO Mark Zuckerberg.

[ Hungry? Read Facebook Mobile Does Restaurant Reservations. ]

Both times, however, Facebook's security team replied that that it couldn't reproduce the problem. "Sorry this is not a bug," read one such email to Shreateh. As the security researcher tried to make clear, however, the bug couldn't be reproduced simply because Facebook's security team didn't have access rights to Goodin's wall -- they weren't "friends" on the social network.

Frustrated, Shreateh looked for a way to demonstrate the vulnerability to Facebook, and chose to do so by posting an arbitrary message to Zuckerberg's own wall. "Dear Mark Zuckerberg," began Shreateh's message. "Sorry for breaking your privacy and post (sic) to your wall, I has no other choice to make after all the reports I sent to Facebook team," continued Shreateh, who sent the message from his own Facebook account.

Shreateh also demonstrated the exploit in a video he recorded late Wednesday and posted to YouTube.

Posting to Zuckerberg's wall -- and possibly also because Shreateh used Edward Snowden's photograph as his profile image -- triggered a rapid response. Just minutes later, a Facebook security engineer messaged Shreateh, requesting more details about the vulnerability. A few minutes after that, however, Facebook suspended Shreateh's account.

In response to Shreateh requesting that his account be reactivated, Facebook said the suspension had been a precautionary measure. "When we discovered your activity we did not fully know what was happening. Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it," wrote a member of Facebook's security team. "We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue."

Facebook also told Shreateh that his technique for illustrating the vulnerability had disqualified him from the company's White Hat bug bounty program. "We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service," wrote Facebook's security team.

Indeed, Facebook's "responsible disclosure policy" says that any payout is contingent on researchers not making any vulnerability details public until after the social network has put a fix in place. In return, Facebook agrees to -- in effect -- indemnify anyone who shares vulnerability information. "If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you," according to Facebook's policies.

Still, did the social network do the right thing with its handling of Shreateh? "I have to admit that I have some sympathy with Facebook on this issue," said independent security researcher Graham Cluley on his blog. "Although he was frustrated by the response from Facebook's security team, Shreateh did the wrong thing by using the flaw to post a message on Mark Zuckerberg's wall."

"Instead, he might have been wiser to go back (again) to Facebook's Security team with more evidence of the flaw, explaining the problem more clearly and perhaps including more information as to its impact," Cluley said. "If he was still not happy with their response, a technology journalist should perhaps have been his next port of call."

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
TomW925
50%
50%
TomW925,
User Rank: Apprentice
8/19/2013 | 4:20:51 PM
re: Facebook Slaps Researcher Who Hacked Zuckerberg's Wall
If he wanted a job working with Facebook, this was a bad idea. If he wanted a job working in another company's white hat debt, this was a good idea.

"A grey hat hacker is a combination of a black hat and a white hat
hacker. A grey hat hacker may surf the internet and hack into a computer
system for the sole purpose of notifying the administrator that their
system has a security defect, for example. Then they may offer to
correct the defect for a fee.[11]"
DewiT423
50%
50%
DewiT423,
User Rank: Apprentice
8/19/2013 | 4:24:14 PM
re: Facebook Slaps Researcher Who Hacked Zuckerberg's Wall
Lord how cheap can Facebook owners be? They refuse to give him 500 USD bounty and Zuckerburg's sister who is a billionaire in her right advertises for an unpaid assistant. Zuckerburg only tries to keep the cash but not spread it around, otherwise why does he only want the cheap HB1 Visa holders rather than hire good ole American citizens.
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
8/19/2013 | 5:07:32 PM
re: Facebook Slaps Researcher Who Hacked Zuckerberg's Wall
I have to agree with TomW925. This guy will be employed by another company very soon.

But I'll also agree with Facebook on one thing: Shreateh's method of getting his point across, including using a photo of Snowden, was a terrible idea.
Userlevel6
50%
50%
Userlevel6,
User Rank: Apprentice
8/19/2013 | 5:13:20 PM
re: Facebook Slaps Researcher Who Hacked Zuckerberg's Wall
There's one more reason I'll never be involved with anything related to Facebook, so long as I still have a choice. Facebook is evil. Evil, greedy, and a total waste of time.
RobinR264
50%
50%
RobinR264,
User Rank: Apprentice
8/19/2013 | 6:39:44 PM
re: Facebook Slaps Researcher Who Hacked Zuckerberg's Wall
Facebook Zucks
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0914
Published: 2014-07-30
Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 6.2 through 6.2.8 and 6.x and 7.x through 7.5.0.6, Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, and Maximo Asset Management 6.2 through 6.2.8 for Tivoli IT Asset Management f...

CVE-2014-0915
Published: 2014-07-30
Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asset Management 6.2 through 6.2.8, 6.x and 7.1 through 7.1.1.2, and 7.5 through 7.5.0.6; Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk; and Maximo Asset Management 6.2 through 6.2.8...

CVE-2014-0947
Published: 2014-07-30
Unspecified vulnerability in the server in IBM Rational Software Architect Design Manager 4.0.6 allows remote authenticated users to execute arbitrary code via a crafted update site.

CVE-2014-0948
Published: 2014-07-30
Unspecified vulnerability in IBM Rational Software Architect Design Manager and Rational Rhapsody Design Manager 3.x and 4.x before 4.0.7 allows remote authenticated users to execute arbitrary code via a crafted ZIP archive.

CVE-2014-2356
Published: 2014-07-30
Innominate mGuard before 7.6.4 and 8.x before 8.0.3 does not require authentication for snapshot downloads, which allows remote attackers to obtain sensitive information via a crafted HTTPS request.

Best of the Web
Dark Reading Radio