Even though Mark Zuckerberg is taking two months off for paternity leave after the recent birth of his daughter, the 31-year-old billionaire Facebook founder isn’t ready to hang up his hoodie for good.
But a quirky bug in the Facebook website could have made it appear that he had quit, if you knew how to manipulate a Life Events post to change “Started working at…” to “Left job at…,” as a security researcher did using Zuckerberg’s timeline.
The bug affected every user’s publicly viewable career Life Events posts, up until Friday (4 December) when Facebook fixed the issue.
A security researcher named Sachin Thakuri was the first to spot the bug, and notified Facebook through its bug bounty program, but he said the company’s security team assured him that the bug was low-risk and they wouldn’t be fixing it.
Thakuri published his discovery on his personal blog on 18 November, but it wasn’t until VentureBeat picked up the story on 4 December that the bug got widespread attention.
Two hours after VentureBeat published an article about the bug, Facebook contacted the publication to say the bug had been fixed.
That was fast!
So, what happened exactly?
Thakuri told me via email that he discovered the Facebook flaw by playing around with some parameters on Facebook when he noticed the “weird behavior.”
Thakuri told me he attempted to convince Facebook’s security team that the bug was serious because it could allow anyone to spoof content about another person’s job history, but Facebook wasn’t concerned:
I tried convincing them to fix this issue by explaining the impact this could have because the bug allowed to manipulate the work status of any user on Facebook. And since it was coming from a legit account there was very [little] chance to figure out that the work status was manipulated. They again replied on 12 November saying they still think this is a low-impact bug and won't be fixing this one.
The bug worked like this: a Life Event post for a job has a start date attached to it, which is rendered by a portion of the URL of the post: &ustart=1.
By deleting that snippet of code from the URL, the Facebook website showed the job as ended.
I tried the trick before Facebook fixed it, and I can tell you it worked (if you remove that bit from the URL now, post-fix, the post doesn’t show up at all).
The bug didn’t actually change anything on Zuckerberg’s profile. As Thakuri explained, the content was changed on the client side, not the server side.
If the content changed on the server side, that would be much worse – that would mean you could manipulate someone else’s profile without authorization.
Thakuri said he’s reported several bugs to Facebook this year, mostly API related security flaws, and has been awarded a bug bounty for six of them.
As of Friday afternoon (Eastern Standard Time), Thakuri said Facebook hadn’t contacted him to let him know that it had fixed the Life Events bug, and he hasn’t received a bounty.
Still, Thakuri said he’s impressed with Facebook’s security team:
Facebook has a good security team who are very fast to react to these bugs and are very good to the researchers who submit bugs through bug bounty program.
By the way, because the bug involved public Life Event posts, we should all be reminded that privacy on Facebook is easy to overlook: keep your profile set to “Friends only” and be mindful of your audience when posting.