Facebook vulnerability reporting: the wrong way

Facebook vulnerability reporting: the wrong way

Summary: When you want to demonstrate a vulnerability to the Facebook bug bounty team, try to find a polite way to do it with test accounts rather than using Mark Zuckerberg's timeline.

TOPICS: Security

Palestinian hacker Khalil Shreateh reported a bug in Facebook through their White Hat bug bounty program. It didn't go well for him. Some misunderstanding and obtuse thinking on both sides resulted in Shreateh losing his bounty.

The bug he was reporting allows a user to post to the wall of a user of whom he is not a friend. In his initial report to Facebook, he demonstrates his bug by posting on Sarah Goodin's timeline; as he explains, "Sarah Goodin is the girl that was in the same college with Mark Zuckerberg."

Already he's going about it the wrong way. He violates the terms of service by posting to a non-friend's account; this is probably necessary to some degree in order to demonstrate the bug. But he doesn't need to go to someone like Sarah Goodin's page to do it. I personally keep a second Facebook account just for testing, and it wouldn't have been hard for him to do the same.

The Facebook White Hat guys surpass Shreateh's obtuseness with their response to him. He sends them a link to the post he made and they say that when they click on it, they get an error message. Well, duh! If they're not friends of Sarah Goodin they should expect to get an error message, but then again this is another reason why (ab)using her account was a bad idea for Shreateh.

If I were Shreateh at this point, I would ask the Facebook guys to give me the name of some test account to which they have access and with which I am not a friend so that I could demonstrate the bug. Shreateh decides to go about things another way: He tells them that he will post to Mark Zuckerberg's timeline. Incredibly, the Facebook guys just tell him that 'this is not a bug' and ignore his remark about posting on Zuckerberg's timeline. So Shreateh emails back to tell them he has "no choice than to post to Mark Zuckerberg's timeline'." And that's what he does:

In the YouTube video below, Shreateh demonstrates the exploit, although at the critical moment  he doesn't really show what he's doing. It involves the user id of the user on whose timeline he is posting.

Only now does Facebook ask Shreateh for details of the exploit. The follow this question up by deactivating his account. He asked for them to reactivate it and they did. But they also said that they would not pay him the bounty for the bug because he violated their terms of service.

Both Facebook and Shreateh could have handled this better. Shreateh had better options than to post on 3rd parties' timelines, let alone Mark Zuckerberg's, but Facebook could also have made it easier for him to demonstrate a bug which requires a TOS violation.  I hope they find a way to get Shreateh the money because he deserves it in spite of the arrogant way he demonstrated the bug.

Hat tip to Johannes Ullrich and his ISC Stormcast for today.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • The fact is, the guy tried

    Another fact is, facebook ignores everyone - they don't CARE if there is a bug in their software, they MUST SAY THAT and LOOK LIKE THEY ARE TAKING BUGS but in reality they DO NOT CARE.

    When is ZDNET going to GET that GOOGLE, facebook, Microsoft and Apple don't CARE about human BEINGS, they CARE about their BOTTOM LINES?

    Instead of blasting facebook as you should have, you allowed the impression that this poor guy did something 'wrong' and he DID NOT DO ANYTHING WRONG SINCE FACEBOOK WOULD NOT HEED THE BUG REPORT!

    • stuff

      Can not speak for about any other companies but Microsoft, Apple, SOE, and Facebook. Apple takes last place in caring or fixing issues.... My last experience with Apple was reporting a bug that allows root access to any machine running their OS. They tried to charge me money to report the bug, something about I had to be on some type of paid program. After I said forget it, I was then threatened.

      Facebook just never responded to me when I sent in four different bug reports on gaining access to accounts or information on accounts that I should be able to access.

      SOE has been really poor too. I have went as far as providing source code to fix the bugs after demonstrating them. Don't even get a response from them either. Would think after the whole lulzsec affair with them they would take bugs a bit more serious.

      Sad to say, since I am an nix / apple user with only one computer running MS.... Microsoft has been the best for error reporting. They seem to care about their customers more than most tech companies. If they didn't have a crappy OS I would have stuck it out with them.
  • Being that hacking itself isn't exactly ethical, I'm not surprised . . .

    Being that hacking itself isn't exactly the most ethical of activities, I'm not surprised . . .
    • why sure...

      Why sure... since the US Government has made it very clear lately that the act of reporting anything that is wrong, evil, or unethical is a crime punishable by torture and years of solitary confinement...
  • What about others...

    violating the terms of service just to be able to post to someone's account they purposely want to hurt by using an account they set up with false information. That also violates the terms of service but it would result in someone being hurt. They should pay this man his bounty for reporting this to them even though he violated those terms. It could save them some headache and possibly even some money in the end.
  • Bad move Facebook

    Notice how they asked him all about how he did it before denying his bounty? How could he have violated his terms of service? I mean, is it really in there you can't post on someone elses wall unless you are friends with them? Because if the bug wasn't there, doing so would be impossible and there would be no reason to have that in the terms.
    Odis Lee
  • Pot meet kettle...

    If you are going to knock the guy for violating TOS then you might want to avoid admitting your own (Facebook) TOS violations:

    "You will not create more than one personal account."

    So Larry, what were you saying about your second account?
    • My second account

      It's not mine, it belongs to my imaginary friend.
      Larry Seltzer
  • Yeah... so they'll pay you if you report a bug... but you can't demonstrate

    Yeah... so they'll pay you if you report a bug... but you can't demonstrate the bug without violating the TOS (since it's a violation to create a second account anyway) and they won't pay you if you violate TOS. Essentially this means they won't pay for most bugs to be reported at all, they have a loophole to save themselves millions of dollars. Never mind who was obtuse first, this has to be their real goal all along.
  • Larry, you're the one who's arrogant

    Larry, I can't imagine why you defend TOS except that you're totally owned by the corporate community.
    Who needs Facebook or any other vendor that doesn't deal much much much better with bugs than Facebook does?
    I don't have time to play tea party etiquette with any vendor.
  • Facebook is welching

    From all that can be gathered on this incident, it appears that Facebook better pay up AND fix their issues with how bugs can be reported or demonstrated. Just because you don't like how the guy reporting the bug went about doing so doesn't mean that he was in the wrong, particularly when he TRIED to work with you.
  • I agree!

    Here is another interesting blogpost about the incident: