Facebook vulnerability reporting: the wrong way

When you want to demonstrate a vulnerability to the Facebook bug bounty team, try to find a polite way to do it with test accounts rather than using Mark Zuckerberg's timeline.

Palestinian hacker Khalil Shreateh reported a bug in Facebook through their White Hat bug bounty program. It didn't go well for him. Some misunderstanding and obtuse thinking on both sides resulted in Shreateh losing his bounty.

The bug he was reporting allows a user to post to the wall of a user of whom he is not a friend. In his initial report to Facebook, he demonstrates his bug by posting on Sarah Goodin's timeline; as he explains, "Sarah Goodin is the girl that was in the same college with Mark Zuckerberg."

Already he's going about it the wrong way. He violates the terms of service by posting to a non-friend's account; this is probably necessary to some degree in order to demonstrate the bug. But he doesn't need to go to someone like Sarah Goodin's page to do it. I personally keep a second Facebook account just for testing, and it wouldn't have been hard for him to do the same.

The Facebook White Hat guys surpass Shreateh's obtuseness with their response to him. He sends them a link to the post he made and they say that when they click on it, they get an error message. Well, duh! If they're not friends of Sarah Goodin they should expect to get an error message, but then again this is another reason why (ab)using her account was a bad idea for Shreateh.

If I were Shreateh at this point, I would ask the Facebook guys to give me the name of some test account to which they have access and with which I am not a friend so that I could demonstrate the bug. Shreateh decides to go about things another way: He tells them that he will post to Mark Zuckerberg's timeline. Incredibly, the Facebook guys just tell him that 'this is not a bug' and ignore his remark about posting on Zuckerberg's timeline. So Shreateh emails back to tell them he has "no choice than to post to Mark Zuckerberg's timeline'." And that's what he does:

In the YouTube video below, Shreateh demonstrates the exploit, although at the critical moment  he doesn't really show what he's doing. It involves the user id of the user on whose timeline he is posting.

Only now does Facebook ask Shreateh for details of the exploit. The follow this question up by deactivating his account. He asked for them to reactivate it and they did. But they also said that they would not pay him the bounty for the bug because he violated their terms of service.

Both Facebook and Shreateh could have handled this better. Shreateh had better options than to post on 3rd parties' timelines, let alone Mark Zuckerberg's, but Facebook could also have made it easier for him to demonstrate a bug which requires a TOS violation.  I hope they find a way to get Shreateh the money because he deserves it in spite of the arrogant way he demonstrated the bug.

Hat tip to Johannes Ullrich and his ISC Stormcast for today.