Sophos Cloud Optix
Like many companies these days Facebook offers a bug bounty program for security researchers to disclose vulnerabilities in return for a cash payment.
As long as the bugs qualify under Facebook’s whitehat terms and conditions, researchers can expect a reward of $500 or more.
Khalil Shreateh, an IT graduate from Palestine, recently discovered a vulnerability that allowed an attacker to post on someone’s timeline, even if they were not Facebook ‘friends’ with that person.
So Shreateh decided to demonstrate the bug on the timeline of Sarah Goodin, a friend of Facebook CEO Mark Zuckerberg. He then disclosed the bug to Facebook via the whitehat program. According to Shreateh, as Goodin only shares her posts with her friends, the Facebook team were unable to access his post and replied to tell him they could only see an error (sic):
facebook security replay was that the link gives error opening , if course they didnt use their authority to view sarah's privacy posts as sarah share her timeline posts with her friends only , i was able to view that post cause i'am the one who did post it even i'am not in her friend list. that what i told them in a replay and i also told them i may post to Mark Zuckerberg timelime
So he reported it again. Facebook replied:
I am sorry this is not a bug.
The determined Shreateh then decided to escalate his demonstration by posting to Zuckerberg’s own timeline.
Dear Mark Zuckerberg,
First sorry for breaking your privacy and post to your wall , i has no other choice to make after all the reports i sent to Facebook team.
My name is KHALIL, from Palestine .
couple days ago i discovered a serious Facebook exploit that allow users to post to other Facebook users timeline while they are not in friend list .
i report that exploit twice , first time i got a replay that my link has an error while opening , other replay i got was " sorry this is not a bug " . both reports i sent from www.facebook.com/whitehat , and as you see iam not in your friend list and yet i can post to your timeline .
“Minutes” after posting, he was contacted by a Facebook security engineer, Ola Okelola, who asked for more details about the exploit. According to Shreateh he then had his account suspended (it has since been reinstated).
He also posted this video, showing his exploit:
An engineer on Facebook’s security team, Matt Jones, said Facebook fixed the bug on Thursday but admitted that it should, perhaps, have asked Shreateh for more information.
He maintained, however, that Shreateh is not entitled to a bug bounty because he violated Facebook’s whitehat terms of service and responsible disclosure policy.
OK - so I work on a security team at Facebook and sometimes help with reviewing Whitehat reports. To be clear, we fixed this bug on Thursday. The OP is correct that we should have asked for additional repro instructions after his initial report. Unfortunately, all he submitted was a link to the post he'd already made (on a real account whose consent he did not have - violating our ToS and responsible disclosure policy), saying that "the bug allow facebook users to share links to other facebook users". Had he included the video [he made to demonstrate the exploit] initially, we would have caught this much more quickly ...
... However, the more important issue here is with how the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behavior for a white hat. We allow researchers to create test accounts here: https://www.facebook.com/whitehat/accounts/ to help facilitate responsible research and testing. In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent.
Even if Shreateh believed he was disclosing the vulnerability in a responsible manner, Facebook’s bug bounty terms are clear.
Let’s hope that he won’t have been put off looking for other vulnerabilities in future, but that next time he’ll make sure he responsibly discloses the bug and can then enjoy reaping the bug bounty rewards.
Image of Mark Zuckerberg courtesy of Kobby Dagan / Shutterstock.com.
Ok so my opinion in this case is disregard the TOS and PAY THE MAN! Perhaps it was an error in judgment by Mr. Shreateh but I believe one in good faith. He could just as easily used his hack in a malicious manor. Is it possible that he tried the proper procedure before the Sarah Goodin incident but was previously ignored, ultimately hacking Zuckerberg's account out of desperation to be recognized?
According to his timeline he tried on multiple occasions to inform FB about the bug, they replied on the last occasion that "It was not a bug" so feeling like he could proceed no further he choce the ceo as a target, this no doubt proved his point and should allow FB to pay this dude the reward he deserves
Yah. Pay the guy. Don’t be like that or there won’t be an incentive to report more serious issues.
Since there was no harm done and he was trying to save Facebook's ass, it sounds more like the Facebook people were publicly embarrassed.
They should pay him rather than be whiny weasels about this.
I suspect if the gent notices another flaw he will be less inclined to help FB out a second time… once bitten twice shy?
They should be grateful to him; he tried to report it via the proper channels and par for course F/b failed. They should pay up and not be so miserable.
As far as I know, no one has ever accused Facebook of having actual integrity. After all, this is a company whose motto is "Move fast and break things". So they certainly ought to know bad behavior when they see it. They allow themselves to commit plenty of it.
Apparently, they're not so permissive when others do the same…even when they don't have the same sneaky intent that Facebook has. In fact, Mr. Shreateh was self-evidently not trying to conceal his identity, so it's clear that he believed he was acting in good faith. But we're talking about Facebook, here. It's not an operation whose name is commonly mentioned in the same breath as "good faith".
I hate to admit it because I loathe Facebook, and it's arguable that they're using the Terms of Service as an excuse not to pay, but in this case I don't see how they can pay the bounty without appearing to condone Mr. Shreateh's violation of the Terms of Service. There's already enough chaos on Facebook. Encouraging more by paying the bounty probably would up the ante.
Facebook should not only PAY, they should also hire him.
In this case? Reward him and hire him. There are others with more nefarious motives, who would be only too happy to gain a resource like this young man and would pay him whatever he wants.
Just pay the man. It isn't much money.
Reminds me of the premise to a Good Day to Die Hard bahahaha
The point is what he was doing was grayhat not whitehat. There's a big difference.
I think Facebook should pay the man for his help.
they were the ones not believing him 2 times and now they come with their shitty objections and treat him that way, this is so hilarious because facebook employees should be not that noob at all but chiefly because technically they were helped by the man and what would that damn few hunderd dollars cost them…
pay the man, Facebook pay the man, no excuses
PAY THE GUY FOR GOD SAKE!
While it's unfortunate and not necessarily just, Facebook's reply does follow their official white hat policy.
Contractual obligation and morality are two very distinct entities. Facebook is well within their rights to not pay him.
I have never posted here, but this one requires a comment. Facebook is so lucky Shreateh gave them more than one chance to fix the bug, they should make an exception and give him the bounty. Use the incident to encourage him to use proper channels next time, but their refusal to pay is ridiculous.
I blame it on "lost in translation". I bet if they kept all of this information updated in his native language, and properly translated, there would have been no issue.
It wasn't irresponsible disclosure, it was disclosure direct to Facebook staff, it was however ethically naive and in contravention to a bunch of paperwork.
Whatever. Facebook just pay him, give him kudos, and remember the lesson from Marvel comics – Evil geniuses started out good, but got misunderstood early, and treated badly. So deal with it and save us all future trouble!;)
I believe that public disclosure is almost always the best way to go.
This man is worth much more than the crappy $500 that FB offer. I hope that he does well in life. I think he will.
FB really should keep people that help them on side. After all you wouldn't want to make an enemy of someone that clearly can exploit you would you?
This why Exploits get sold more often than reported to bug bounty programs. I know if it were me, I would not report the next flaw I found, if they used a weak as excuse like that.
Zuckerman or should I say cooked man pay the man he deserves the recognition of his efforts in helping you keep facebook secure. lol you can't even keep the NSA out
I think Mr. Zuckerman should pay him this time…explaining that they have rules and protocol we must follow next time. An apology for not listening wouldn’t be out of order either.
Just restore my page please….
Why is everyone wanting him to be payed? He broke their whitehat policies before they said it wasn’t a bug-he should have shown the bug with a consenting account or a test account.