Facebook Slaps Researcher Who Hacked Zuckerbergs Wall

  /     /     /  
Publicated : 22/11/2024   Category : security


Facebook Slaps Researcher Who Hacked Zuckerbergs Wall


No bug bounty for you, says social network, after rebuffed researcher demonstrates massive security flaw by posting to Facebook founders own wall.



10 Facebook Features To Help You Get Ahead (click image for larger view)
Memo from Facebook to security researchers: Dont hack the bosss Facebook wall.
Thats the gist of the companys response to Palestinian information security researcher Khalil Shreateh, who twice attempted to report a serious site vulnerability to the social networks White Hat team, only to have Facebook dismiss his reports when they couldnt be reproduced.
According to a
blog post
by Shreateh, the vulnerability, which he recently discovered, allowed him to post messages -- including photos and links -- to anyones Facebook wall. That included Facebook walls that would have been private, with access restricted to anyone who wasnt friends with the accountholder.
Shreateh, who lists his occupation as being an unemployed information systems engineer, twice attempted to alert Facebook to the problem. He also included as a proof of concept a link to a private page to which hed been able to post. The page belonged to Sarah Goodin, a close friend and former Harvard University classmate of Facebook CEO Mark Zuckerberg.
[ Hungry? Read
Facebook Mobile Does Restaurant Reservations
. ]
Both times, however, Facebooks security team replied that that it couldnt reproduce the problem. Sorry this is not a bug, read one such email to Shreateh. As the security researcher tried to make clear, however, the bug couldnt be reproduced simply because Facebooks security team didnt have access rights to Goodins wall -- they werent friends on the social network.
Frustrated, Shreateh looked for a way to demonstrate the vulnerability to Facebook, and chose to do so by posting an arbitrary message to Zuckerbergs own wall. Dear Mark Zuckerberg, began Shreatehs message. Sorry for breaking your privacy and post (sic) to your wall, I has no other choice to make after all the reports I sent to Facebook team, continued Shreateh, who sent the message from his own Facebook account.
Shreateh also
demonstrated the exploit
in a video he recorded late Wednesday and posted to YouTube.
Posting to Zuckerbergs wall -- and possibly also because Shreateh used
Edward Snowdens
photograph as his profile image -- triggered a rapid response. Just minutes later, a Facebook security engineer messaged Shreateh, requesting more details about the vulnerability. A few minutes after that, however, Facebook suspended Shreatehs account.
In response to Shreateh requesting that his account be reactivated, Facebook said the suspension had been a precautionary measure. When we discovered your activity we did not fully know what was happening. Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it, wrote a member of Facebooks security team. We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue.
Facebook also told Shreateh that his technique for illustrating the vulnerability had disqualified him from the companys White Hat
bug bounty program
. We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service, wrote Facebooks security team.
Indeed, Facebooks responsible disclosure policy says that any payout is contingent on researchers not making any vulnerability details public until after the social network has put a fix in place. In return, Facebook agrees to -- in effect -- indemnify anyone who shares vulnerability information. If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you, according to Facebooks policies.
Still, did the social network do the right thing with its handling of Shreateh? I have to admit that I have some sympathy with Facebook on this issue, said independent security researcher Graham Cluley on his
blog
. Although he was frustrated by the response from Facebooks security team, Shreateh did the wrong thing by using the flaw to post a message on Mark Zuckerbergs wall.
Instead, he might have been wiser to go back (again) to Facebooks Security team with more evidence of the flaw, explaining the problem more clearly and perhaps including more information as to its impact, Cluley said. If he was still not happy with their response, a technology journalist should perhaps have been his next port of call.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Facebook Slaps Researcher Who Hacked Zuckerbergs Wall