Like many companies these days Facebook offers a bug bounty program for security researchers to disclose vulnerabilities in return for a cash payment.
As long as the bugs qualify under Facebook’s whitehat terms and conditions, researchers can expect a reward of $500 or more.
Khalil Shreateh, an IT graduate from Palestine, recently discovered a vulnerability that allowed an attacker to post on someone’s timeline, even if they were not Facebook ‘friends’ with that person.
So Shreateh decided to demonstrate the bug on the timeline of Sarah Goodin, a friend of Facebook CEO Mark Zuckerberg. He then disclosed the bug to Facebook via the whitehat program. According to Shreateh, as Goodin only shares her posts with her friends, the Facebook team were unable to access his post and replied to tell him they could only see an error (sic):
facebook security replay was that the link gives error opening , if course they didnt use their authority to view sarah's privacy posts as sarah share her timeline posts with her friends only , i was able to view that post cause i'am the one who did post it even i'am not in her friend list. that what i told them in a replay and i also told them i may post to Mark Zuckerberg timelime
So he reported it again. Facebook replied:
I am sorry this is not a bug.
The determined Shreateh then decided to escalate his demonstration by posting to Zuckerberg’s own timeline.
Dear Mark Zuckerberg,
First sorry for breaking your privacy and post to your wall , i has no other choice to make after all the reports i sent to Facebook team.
My name is KHALIL, from Palestine .
couple days ago i discovered a serious Facebook exploit that allow users to post to other Facebook users timeline while they are not in friend list .
i report that exploit twice , first time i got a replay that my link has an error while opening , other replay i got was " sorry this is not a bug " . both reports i sent from http://www.facebook.com/whitehat , and as you see iam not in your friend list and yet i can post to your timeline .
“Minutes” after posting, he was contacted by a Facebook security engineer, Ola Okelola, who asked for more details about the exploit. According to Shreateh he then had his account suspended (it has since been reinstated).
He also posted this video, showing his exploit:
An engineer on Facebook’s security team, Matt Jones, said Facebook fixed the bug on Thursday but admitted that it should, perhaps, have asked Shreateh for more information.
He maintained, however, that Shreateh is not entitled to a bug bounty because he violated Facebook’s whitehat terms of service and responsible disclosure policy.
OK - so I work on a security team at Facebook and sometimes help with reviewing Whitehat reports. To be clear, we fixed this bug on Thursday. The OP is correct that we should have asked for additional repro instructions after his initial report. Unfortunately, all he submitted was a link to the post he'd already made (on a real account whose consent he did not have - violating our ToS and responsible disclosure policy), saying that "the bug allow facebook users to share links to other facebook users". Had he included the video [he made to demonstrate the exploit] initially, we would have caught this much more quickly ...
... However, the more important issue here is with how the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behavior for a white hat. We allow researchers to create test accounts here: https://www.facebook.com/whitehat/accounts/ to help facilitate responsible research and testing. In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent.
Even if Shreateh believed he was disclosing the vulnerability in a responsible manner, Facebook’s bug bounty terms are clear.
Let’s hope that he won’t have been put off looking for other vulnerabilities in future, but that next time he’ll make sure he responsibly discloses the bug and can then enjoy reaping the bug bounty rewards.Follow @NakedSecurity