Hacker Demonstrates Facebook Exploit On Mark Zuckerberg's Wall

 Pages 1 2 NEXT
 

Hacker Demonstrates Facebook Exploit On Mark Zuckerberg's Wall

Mark Zuckerbergs Facebook page

A Palestinian "white hat" hacker decided to make his point by posting on Mark Zuckerberg's wall after Facebook ignored his warnings about a vulnerability in the system.

Khalil Shreateh, a technical sort of fellow from Yatta, Hebron, recently discovered a vulnerability in Facebook that allowed him to post to anyone's wall, even if it was set to private. He reported the issue through Facebook's "Whitehat" system, which offers a minimum reward of $500 for such discoveries, along with a link to a message he'd written on the wall of Sarah Goodin, a woman who attended the same college as Facebook founder Mark Zuckerberg.

Unfortunately, Facebook security told him that the link he provided resulted in an error, so he resubmitted, explaining why the error occurred and also stating that he might post a message on Zuckerberg's wall to get his point across. After his second submission, Facebook said simply that what he was reporting was not a bug, so he did as he'd warned and posted a message detailing the exploit, along with his report to Facebook security (and its dismissive reponse), on Zuckerberg's wall.

Very shortly after the message went up, Shreateh was contacted by a Facebook engineer seeking more information about the exploit; soon after that, his account was disabled. When he filed yet another report asking why, he was told it had been shut down "as a precaution."

"When we discovered your activity we did not fully know what was happening. Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it," a security engineer said in a message. "We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue. When you submit reports in the future, we ask you to please include enough detail to repeat your actions."

His account has since been re-enabled but sadly, despite clearly finding a bug, Shreateh won't be getting any reward. "We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service," Facebook told him. "We do hope, however, that you continue to work with us to find vulnerabilities in the site."

Source: Khalil, via Gizmodo

Permalink

Great way to make a point. He didn't actually hurt anyone, but proved that he can break the security of Facecrook.

And what are the idiots doing? Acting like little children.........Jackasses.....

I'm glad I never started on facebook

Wait, what? Someone finds a major issue with your site, you blow them off, then they exploit it to show you exactly how big a problem it is, and you disable their account for doing it. Does Facebook even care about the privacy of its users? Or was this just a way of avoiding paying somebody for doing your work for you? It probably won't affect the average Facebook user, but it's still a stupid move.

in other words:

facebook bragged like a jersey shore guido around and when they got some teeth punched out they say it was an accident and totally not some other Bro/dudette.

here is a demo hack from the guy

"We screwed up, but we're a big company so we're just going to pretend it was your fault!"

I think this is most likely a case where said security engineer did himself not possess sufficient knowledge to understand the technical details provided. After all, if it was a simple error it would be easy to solve for a security expert with sufficient knowledge of the systems in place or if it was a complex error then the guy in question would need to be very knowledgeable to exploit it.

Considering there apparently hasn't been any widespread use on a site with as many users as Facebook, a portion of which are sure to be both looking for these things and highly intelligent, I think it's safe to say that Mr. Sheateh was not the one at fault but was instead dealing with incompetent 'security' engineers.

Cheapskates. They're consistently doing this crap to the people they hire to find the bugs. What asses.

Clearly his only course of action now is to follow it up with false posts detailing how Zuckerberg has just finished making sweet love to his neighbour's dog.

Since, y'know, this exploit clearly doesn't exist.

Classy... real classy Facebook...

They need to pay him. It's their own fault he had to violate their Terms of Service because they wouldn't listen to him both times when he reported it. In fact the people that told him it wasn't a bug should be fired because they clearly were not doing their jobs.

the bad PR alone will cost them more than what they should of paid the guy, hell if hes that good they should have him on payroll

I'm amused at the people acting like Facebook is being dickish by not paying him, when in reality their point about 'violating the Terms of Service' is a perfectly legitimate one.

Now, all things considers the fair thing to do would be find some way to pay the guy something, but it certainly shouldn't be publicized. Facebook is not small, nor private. Their terms of service are not intended as a suggestion nor a joke, and publically rewarding someone in violation of those terms is a big no no, something they like have entire PR and legal departments dedicated to pointing out.

I mean, come on, do you think a company like Facebook gives a shit about $500 to one guy in the context of anything that could theoretically cause any problem at all for it's hundreds of millions of users? I doubt it.

Now, if they got enough bad press over this I wouldn't be surprised to see some sort of compensation tossed out to save face, but at the moment they've decided that rewarding someone who publically breaks your rules looks worse, and that's prefectly reasonable.

Sounds like Farcebook is becoming the modern Thomas Edison if not already exceeding his level of jackassery, and this poor bloke is their current Nicola Tesla. They better watch who they cross. Some guys might use their death rays(read: use an exploit that causes lots of damage and lost revenue).

Jadak:
I'm amused at the people acting like Facebook is being dickish by not paying him, when in reality their point about 'violating the Terms of Service' is a perfectly legitimate one.

Now, all things considers the fair thing to do would be find some way to pay the guy something, but it certainly shouldn't be publicized. Facebook is not small, nor private. Their terms of service are not intended as a suggestion nor a joke, and publically rewarding someone in violation of those terms is a big no no, something they like have entire PR and legal departments dedicated to pointing out.

I mean, come on, do you think a company like Facebook gives a shit about $500 to one guy in the context of anything that could theoretically cause any problem at all for it's hundreds of millions of users? I doubt it.

Now, if they got enough bad press over this I wouldn't be surprised to see some sort of compensation tossed out to save face, but at the moment they've decided that rewarding someone who publically breaks your rules looks worse, and that's prefectly reasonable.

Actually, you're approaching this at a rather pathetically narrow-minded view of the situation. You are focusing on the one individual in the context of just this one event, as if they were somehow going to be compartmentalized and thus not affect anything outside of it.

When in actuality, this type of event has consequences. Other people might see this, and decide that they won't bother reporting any bugs through the "White Hat" system because, as shown, Facebook can more than easily just handwave it off and tell them "Oh not a glitch, sorry you get nothing".

Which, in turn, will lead to those who do exploit and poke around at Facebook's code to not report to them, and instead use it for personal gain, if not monetary than at least enjoyment. If Facebook refuses to acknowledge the glitch (which they did in the first place, if you missed it), then why bother reporting it to them when it can be used for yours, or others, gain.

And I'm sure that some people who are interested in phishing account information from Facebook users, as well as potentially credit card information, the ability to post on others walls even if they are set to private could be handy in that regard.

Which is why this whole "Find glitch, +$500" system was started to begin with.

wombat_of_war:
the bad PR alone will cost them more than what they should of paid the guy, hell if hes that good they should have him on payroll

But if he is on their payroll they will actually have to pay him for fixing their mistakes. This way they get it done for free.

Glad to see that companies are still rewarding benevolent but skilled people pointing out bugs in the system instead of sharing them and causing crap to hit the fan. It's this kind of maturity and integrity that ensures that companies are completely exempt from any kind of criticism, and that they are allowed to do as they please.

ThunderCavalier:
Glad to see that companies are still rewarding benevolent but skilled people pointing out bugs in the system instead of sharing them and causing crap to hit the fan. It's this kind of maturity and integrity that ensures that companies are completely exempt from any kind of criticism, and that they are allowed to do as they please.

Nice turn-around on that last sentence.

Anyways: Just pay the damn guy, Facebook. You are one of (if not THE) most popular websites on all of the internet. You can afford a measly $500.

cursedseishi:

Actually, you're approaching this at a rather pathetically narrow-minded view of the situation. You are focusing on the one individual in the context of just this one event, as if they were somehow going to be compartmentalized and thus not affect anything outside of it.

When in actuality, this type of event has consequences. Other people might see this, and decide that they won't bother reporting any bugs through the "White Hat" system because, as shown, Facebook can more than easily just handwave it off and tell them "Oh not a glitch, sorry you get nothing".

Which, in turn, will lead to those who do exploit and poke around at Facebook's code to not report to them, and instead use it for personal gain, if not monetary than at least enjoyment. If Facebook refuses to acknowledge the glitch (which they did in the first place, if you missed it), then why bother reporting it to them when it can be used for yours, or others, gain.

And I'm sure that some people who are interested in phishing account information from Facebook users, as well as potentially credit card information, the ability to post on others walls even if they are set to private could be handy in that regard.

Which is why this whole "Find glitch, +$500" system was started to begin with.

You're right, if you ignore all the details, anyways.

You're arguing that, essentially, this sets a trend that discourage this reward system and you're ignoring the details of this event or at least the point of my post to do so. My entire point was that they're not simply refusing to reward someone, they're refusing to reward a violation of their terms of service.

This does nothing to discourage 'glitch finders', this discourages them from actually taking what they find and abusing the system to make their point. There's nothing wrong with that and it in know way supports the idea that if you find a glitch, Facebook won't pay you.

The one and only problem on that front is with whoever recived the bug reports and decided to dismiss what was reported (although as was mentioned in the article, the Facebook engineer could be correct in that not enough explanation was provided to be useful), and problems like that could indeed caused issues for the perception of this reward system, but that's a different issue. What matters here is the simple decision to not pay someone who publically violated your service.

Maybe a good choice, maybe not, but not one that does anything to discourage those using the system as intended. Only problem there is with cases such as this, where real issues slip through the cracks

Paying a guy off for finding your websites exploit? $500
"Ignoring" them and benefiting from their vigilance? $0
Waiting till they make you look like an idiot while discrediting your own free bug finding workforce by continuing to refuse to pay them? Priceless.

Boy I love the reality where being honest and good with your arguably gray-aligned abilities nets you a pat on the head and 0 money.

Where if he'd given this info to a few more skeezy parties, he'd probably have made bank.

Thanks facebook, thanks for reaffirming that companies like you are STILL digging your own graves through terrible moral compasses and hiding behind made up rules.

Jadak:
I'm amused at the people acting like Facebook is being dickish by not paying him, when in reality their point about 'violating the Terms of Service' is a perfectly legitimate one.

Now, all things considers the fair thing to do would be find some way to pay the guy something, but it certainly shouldn't be publicized. Facebook is not small, nor private. Their terms of service are not intended as a suggestion nor a joke, and publically rewarding someone in violation of those terms is a big no no, something they like have entire PR and legal departments dedicated to pointing out.

I mean, come on, do you think a company like Facebook gives a shit about $500 to one guy in the context of anything that could theoretically cause any problem at all for it's hundreds of millions of users? I doubt it.

Now, if they got enough bad press over this I wouldn't be surprised to see some sort of compensation tossed out to save face, but at the moment they've decided that rewarding someone who publically breaks your rules looks worse, and that's prefectly reasonable.

Sorry. The terms of service do not say that they can refuse to pay you anything owed through other programs or services they provide. The terms say that they can shut down your account.

So in reality, the *proper* course of action is to pay him the $500, ban his account, fire the dumb fuck who said it wasn't a glitch at all, and then see if Mr. Shreateh is interested in the now vacant position.

We can now expect no hacker reporting found issues, and will instead sell exploit to highest bidder.

Nice work Facebook :)

Facebook said simply that what he was reporting was not a bug

You know, I'm just curious how they determined he was in breach of the terms of service, when they themselves had told him that such was not a bug. And when something isn't a bug it's generally a feature (and some bugs count as feature's when they produce awesome results).

To me this is them just being jerks after they screwed up, considering he did the right thing reporting it, trying to re-explain the situation and warning them of how he was going to provide an example for them prior to them dismissing it as not being a bug.

Al.

Kwil:

Sorry. The terms of service do not say that they can refuse to pay you anything owed through other programs or services they provide. The terms say that they can shut down your account.

So in reality, the *proper* course of action is to pay him the $500, ban his account, fire the dumb fuck who said it wasn't a glitch at all, and then see if Mr. Shreateh is interested in the now vacant position.

Have you read the terms of service? I certainly haven't, and while you could be right, with the extensive terms of service agreements companies tend to have these days I wouldn't at all be surprised if there was in fact something applicable to the situation.

As for the firing, hardly enough details to make that determination. First and possibly most important is the sheer quantity of reports Facebook may or may not get. Maybe it's few, maybe it's a shitload, I don't know but would expect the latter along with the fact that no small number of them are spam or otherwise not worth anyones time. If that is the case, then it's unfortunate but frankly, shit happens, legit things can look like spam, things get missed and there's no guarantee anyone else would do any better. Not saying the guy shouldn't be fired, but far too few details here to claim incompetence on his part.

Andy Chalk:
Facebook told him. "We do hope, however, that you continue to work with us to find vulnerabilities in the site."

I'm sure he will be more than happy to do just that.

I mean, wouldn't anyone?

--Morology!

Jadak:

Kwil:

Sorry. The terms of service do not say that they can refuse to pay you anything owed through other programs or services they provide. The terms say that they can shut down your account.

So in reality, the *proper* course of action is to pay him the $500, ban his account, fire the dumb fuck who said it wasn't a glitch at all, and then see if Mr. Shreateh is interested in the now vacant position.

Have you read the terms of service? I certainly haven't, and while you could be right, with the extensive terms of service agreements companies tend to have these days I wouldn't at all be surprised if there was in fact something applicable to the situation.

As for the firing, hardly enough details to make that determination. First and possibly most important is the sheer quantity of reports Facebook may or may not get. Maybe it's few, maybe it's a shitload, I don't know but would expect the latter along with the fact that no small number of them are spam or otherwise not worth anyones time. If that is the case, then it's unfortunate but frankly, shit happens, legit things can look like spam, things get missed and there's no guarantee anyone else would do any better. Not saying the guy shouldn't be fired, but far too few details here to claim incompetence on his part.

I haven't read the terms of service. But I know they don't say that because that's the law. No agreement can state that failure to adhere to one particular agreement cancels the company's obligations in any other separate agreements. That's simply contract law.

And the whitehat policy, found here: https://www.facebook.com/whitehat , is clearly a separate agreement as it makes absolutely no reference to its Terms of Service or to requiring that the whitehat hold an account. In fact, it explictly encourages the whitehat to *avoid* using real accounts for the activity -- a judge would see that as an explicit denial of a link to this activity and their account system, ergo, their terms of service.

Bad form on facebooks part really. $500 dollars is nothing to them, and its not like the guy didn't warn them that that was what he was going to do.

Im kinda surprised they aren't seriously looking at hiring the guy really.

Kwil:

I haven't read the terms of service. But I know they don't say that because that's the law. No agreement can state that failure to adhere to one particular agreement cancels the company's obligations in any other separate agreements. That's simply contract law.

And the whitehat policy, found here: https://www.facebook.com/whitehat , is clearly a separate agreement as it makes absolutely no reference to its Terms of Service or to requiring that the whitehat hold an account. In fact, it explictly encourages the whitehat to *avoid* using real accounts for the activity -- a judge would see that as an explicit denial of a link to this activity and their account system, ergo, their terms of service.

That clears that up then, although interestingly enough, on the very page you linked there is a section that contains this text (right near the top):

Responsible Disclosure Policy
If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.

I'd say the "good faith effort to avoid privacy violations" goes out the window instantly, considering violating privacy is what he intentionally did to prove his point (albeit, still in good faith I guess).

Granted, it doesn't explicitly say 'will not pay you' on top of that, but come on.. It's right there on the main page telling people to make an effort to avoid this kind of stuff to prove their points.

Jadak:
I'm amused at the people acting like Facebook is being dickish by not paying him, when in reality their point about 'violating the Terms of Service' is a perfectly legitimate one.

Now, all things considers the fair thing to do would be find some way to pay the guy something, but it certainly shouldn't be publicized. Facebook is not small, nor private. Their terms of service are not intended as a suggestion nor a joke, and publically rewarding someone in violation of those terms is a big no no, something they like have entire PR and legal departments dedicated to pointing out.

I mean, come on, do you think a company like Facebook gives a shit about $500 to one guy in the context of anything that could theoretically cause any problem at all for it's hundreds of millions of users? I doubt it.

Now, if they got enough bad press over this I wouldn't be surprised to see some sort of compensation tossed out to save face, but at the moment they've decided that rewarding someone who publically breaks your rules looks worse, and that's prefectly reasonable.

So you think blackhats won't violate terms of service when they get into systems? Because that's exactly what they do. TOS aren't a deterrent for malicious intent.

Patrick Hayes:

So you think blackhats won't violate terms of service when they get into systems? Because that's exactly what they do. TOS aren't a deterrent for malicious intent.

Why would I think that? No, I'm saying don't pay them for doing it. Sure, this guy isn't a 'blackhat', and it's too bad his report was ignored / met with dismissal, but he could have kept at it, a better formulated report to argue the matter would have been an appropriate step but he chose to 'make a point', and you don't typically pay people for fucking with you.

Jadak:

You're right, if you ignore all the details, anyways.

You're arguing that, essentially, this sets a trend that discourage this reward system and you're ignoring the details of this event or at least the point of my post to do so. My entire point was that they're not simply refusing to reward someone, they're refusing to reward a violation of their terms of service.

This does nothing to discourage 'glitch finders', this discourages them from actually taking what they find and abusing the system to make their point. There's nothing wrong with that and it in know way supports the idea that if you find a glitch, Facebook won't pay you.

The one and only problem on that front is with whoever recived the bug reports and decided to dismiss what was reported (although as was mentioned in the article, the Facebook engineer could be correct in that not enough explanation was provided to be useful), and problems like that could indeed caused issues for the perception of this reward system, but that's a different issue. What matters here is the simple decision to not pay someone who publically violated your service.

Maybe a good choice, maybe not, but not one that does anything to discourage those using the system as intended. Only problem there is with cases such as this, where real issues slip through the cracks

They're fully within their rights refusing him payment, but the moment he went public by pasting it across Zuckerberg's page it went potentially viral.
At that point concerns about not rewarding people for violating your ToS are vastly superceded by the PR implications of how your reaction comes across to millions of onlookers - especially as Facebook is such a consumer-oriented company.

Personally I'd probably pay him for pointing out the glitch, and then ban him. You avoid looking like an ass in the latest viral storm in a teacup, while retaining the validity of your ToS.

Kargathia:

They're fully within their rights refusing him payment, but the moment he went public by pasting it across Zuckerberg's page it went potentially viral.
At that point concerns about not rewarding people for violating your ToS are vastly superceded by the PR implications of how your reaction comes across to millions of onlookers - especially as Facebook is such a consumer-oriented company.

Personally I'd probably pay him for pointing out the glitch, and then ban him. You avoid looking like an ass in the latest viral storm in a teacup, while retaining the validity of your ToS.

Doesn't quite cover the situation. Virtually any bad PR is more costly than $500 to a large public company, but that's ignoring a possible reason behind why they would bother to refuse payment based on ToS in the first place.

On the one hand, they get bad PR if they do what they're doing now. On the other hand, if they do pay the guy, they set a bad precedent and undermine the guidelines set forth for their whitehat program. If they do that, they're basically saying that strictly following the proper procedure is not required, that it is okay to publically embarass Facebook to prove your point, and still get paid for your trouble. That is a very bad message to send. Whether it's worse than the bad PR for not doing so is not a decision I would envy making.

Hey, didn't Zuckerberg do something similar to this too in college?

THANKS FOR THE FISH BRO!!! LULZ!!!

Is the message I think he received. I hope facebook is ready for the shitstorm of crap that is coming their way if this guy finds a vital exploit.

His account has since been re-enabled but sadly, despite clearly finding a bug, Shreateh won't be getting any reward. "We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service," Facebook told him. "We do hope, however, that you continue to work with us to find vulnerabilities in the site."
Read more at http://www.escapistmagazine.com/news/view/126996-Hacker-Demonstrates-Facebook-Exploit-On-Mark-Zuckerbergs-Wall#ZHbuxlLbLiyy8vab.99

Oh, for fuck's sake.

Grow a spine, admit that the fault was yours, and reward the man for doing your job for you, you petty sons of weasels!

 Pages 1 2 NEXT

Reply to Thread

Log in or Register to Comment
Have an account? Login below:
With Facebook:Login With Facebook
or
Username:  
Password:  
  
Not registered? To sign up for an account with The Escapist:
Register With Facebook
Register With Facebook
or
Register for a free account here