http://khalil-sh.blogspot.com/p/facebook_16.html
And hats off to Khaled. Hebron is not a fun place to grow up, and making it that far, a B.S. that is, is an accomplishment. I grew up with far more privilege and I am still not smart enough to come up with Facebook exploits.
It reflects incredibly bad on their relationship with the tech community and I am sure we will see some superficial backpedaling very soon.
You act as if corporations maliciously "screw their customers over". See the responses below and you'll see that in this specific case FB actually wins out when they pay more to their whitehats.
I hate to single out your specific response, but it's comments like this (and the other 90% on this thread) that remind me how very few people on HN have experience with businesses at scale. classic old and inflexible corporation or let's just call them "enterprises" create policies so they can protect the highest number of cases available, but not all of them. It would be silly to think otherwise.
Your answer - 'its not a bug its a feature'
1) Getting the target user's userId. This used to be part of a user's profile URL but Facebook allowed people to choose a "vanity URL" quite a while ago, so they're no longer as visible. So, instead, the userId is obtained from a FB Graph API query.
2) The form that makes up the "post to newsfeed" has a bunch of hidden inputs. One of them refers to a "xhpc_targetid" and this is probably where the target userId is injected. It's normally set to the current user's id for a default newsfeed post. These values in the DOM are modified during the exploit using something like Chrome Developer Tools on-the-fly and the form is submitted.
If this is truly the case (and I haven't verified it myself) this means that the server side is not really checking permissions and just blindly trusting the client input. Reminded me of this recent (http://arstechnica.com/information-technology/2013/08/how-ea...) article about trusting client input.
They're still visible in photo albums and the like. Far from hidden.
Coincidentally, that bug was also exposed by a non-native English speaker who was dismissed for his inability to fluently express himself.
On this topic: i still have no clue what vulnerability it was. Guy, do you know such terms XSS, CSRF etc? Can't u just say where's the bug, nobody wants to watch 6 (!) minutes long video with arabic subtitles rofl. peace
Ad Board Chairwoman: Mr. Zuckerberg, this is an Administrative Board hearing. You're being accused of intentionally breaching security, violating copyrights, violating individual privacy by creating the website, www.facemash.com. You're also charged with being in violation of the University's policy on distribution of digitized images. Before we begin with our questioning you're allowed to make a statement. Would you like to do so?
Mark Zuckerberg: I've... [Mark stands up to make his statement]
Mark Zuckerberg: You know I've already apologized in the Crimson to the ABHW, to Fuerza Latina and to any women at Harvard who may have been insulted as I take it that they were. As for any charges stemming from the breach of security, I believe I deserve some recognition from this Board.
Ad Board Chairwoman: I'm sorry?
Mark Zuckerberg: Yes.
Ad Board Chairwoman: I don't understand.
Mark Zuckerberg: Which part?
Ad Board Chairwoman: You deserve recognition?
Mark Zuckerberg: I believe I pointed out some pretty gaping holes in your system.
----
The similarity is uncanny.
Paying out a bounty in that situation would be legally risky. Would advise against it.
Facebook's ToS forbid you to compromise other users accounts in any way. Its bug bounty terms require the consent of any accountholder used to search for bugs. It's also bound by California laws regarding breach notifications. And over the long term, it must retain the ability to enforce its own ToS. These are just the objections I can think of.
If you're going to participate in a bug bounty program --- and you should --- don't use non-consenting accounts to do it. This is a simple issue that's been blown out of proportion by message board pathology.
For all we know, the reporter might have thought, "This will never work" or is not up to speed on or didn't understand the rules. Facebook certainly didn't help him, at every turn, including the last email "Sorry, l2p."
For background, as a few other commenters have pointed out, we get hundreds of reports every day. Many of our best reports come from people whose English isn't great - though this can be challenging, it's something we work with just fine and we have paid out over $1 million to hundreds of reporters. However, many of the reports we get are nonsense or misguided, and even those (if you enter a password then view-source, you can access the password! When you submit a password, it's sent in the clear over HTTPS!) provide some modicum of reproduction instructions. We should have pushed back asking for more details here.
However, the more important issue here is with how the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behavior for a white hat. We allow researchers to create test accounts here: https://www.facebook.com/whitehat/accounts/ to help facilitate responsible research and testing. In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent.
As you can see at https://www.facebook.com/whitehat, in order to qualify for a payout you must "make a good faith effort to avoid privacy violations" and "use a test account instead of a real account when investigating bugs. When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing. Do not interact with other accounts without the consent of their owners." Unfortunately, the OP did neither of those things. We welcome and will pay out for future reports from him (and anyone else!) if they're found and demonstrated within these guidelines.
I just looked at it, then switched Facebook to Arabic and the TOS is magically still in English (edit - and right aligned really badly as the page evidently expects arabic). If you demand that the TOS is followed by people who do not have English as a first language, try offering a translation.
This guy has done you all a service. The chances are that he may not have been able to clearly read the TOS that you wish him to abide by. He should get paid.
edit - hmm, was about to check the situation with other languages, however now all the buttons are in arabic so I stopped bothering after the fourth random page.
He stumbled around a bit trying to work out how to help, but he brought a flaw to your attention in what he thought was a polite way. If unleashed, this bug could've been used to wreak havoc on Facebook and damage the company's reputation. $500 is the very least FB should be paying.
At the moment the loud and clear message is that there are far more welcome places than Facebook to report found issues.
Additionally, if you're not logged-in, then the test accounts page doesn't work. It redirects to the same page as facebook.com/whitehat, with no notification that the test accounts page even exists.
You should really pay him.
The right thing to do is add Khalil to the white hat list, and pay him what he deserves. He doesn't speak or read English as you have noticed. Your TOS for white hat page is NOT even translatable.
He used real accounts because your team did not care what he had to say. What do you think he should have done? Sell it to the black market?
But couldn't your team be a bit grateful? Though he did post to Zuck's account, he didn't sell the vulnerability as a zero day on the black market, no?
A cheap insurance policy, making the payout, cultivating trust with white hats who are nonetheless decidedly a bit bone headed (if not well meaning).
Alright, here's a preemptive question for you then.
Should a logged in user be able to retrieve the email addresses of an arbitrary friend, regardless of their contact privacy setting being set to "only me"?
You all are lucky that people are sharing this stuff with you guys for $500 instead of on the black market for much more. You're also lucky that people are doing the job that highly-paid Facebook engineers should have done. And if I read between the lines of your post, you and your team think that you're pretty clever.
The right thing to do is to cut this guy a check for $500 and keep your mouth shut, before people stop reporting security bugs to you.
I know I'm already discouraged--if I find anything, the last thing I want to deal with is a mediocre engineer telling me I didn't fill out the TPS form the right way.
the language barriers are enough to justify any mistakes made in conforming precisely with the t&cs. he didn't abuse the hack. he reported it to you. pay him tbh.
"So when a security researcher named Khalil Shreateh from Palestine found a bug that let him post stuff to other people's Walls, he reported it to Facebook.
That bug is a spammer's dream. To prove his bug was real, Shreateh posted something to Sarah Goodin's wall, a friend of Facebook CEO Mark Zuckerberg.
He then contacted Facebook's security team with the proof that his bug was real, he explained in a lengthy blog post. Facebook has a bounty program where it pays people to report bugs instead of using them or selling them on the black market. In this case, instead of fixing the bug and paying the researcher the $500+ fee, Facebook told him "this was not a bug," according to an email that Shreateh shared.
Shreateh says he tried a second time to warn Facebook and when that didn't work, he used the bug to post a message to Mark Zuckerberg's Wall."
You discover a bug on FB just by being a normal user not a "whitehat" security user:
* You discovered it by doing "something" to someone else account --> FB will not pay : SELL on black market.
* You think the bug isn't really a bug but then it happens again --> FB will not pay : SELL on black market.
* You have a life that you don't want to waste with reading through legalese and filling out forms. FB says it is not a bug. Maybe they are right? You don't want to spend the time arguing about it over email --> SELL on black market
* You are not a lawyer, or do not do security testing full-time on FB. Or you are a normal user who has not kept on the FB ToS now that we are on the 100 billionth version --> You probably did something wrong. --> FB will not pay : SELL on black market.
* You are a US citizen and do not want to be charged with CFAA violations as a hacker --> SELL on black market.
Otherwise,
FB might give you some money.
For a better PR, pay him and use this case as an example to teach the future whitehats. FB has low esteem for a reason.
It's pretty arrogant of Facebook to redefine the meaning of white hat don't you think? Posting to the Facebook founders page to let them know of a security vulnerability is not malicious, plain and simply, not. Trying to steer the embarrassment of your failings because this guy didn't read your TOS is incredibly hypocritical.
Plus i am very sure, the mistake was on Facebook ends in the first place. I experienced it myself: Since 6 month now i try that Facebook take action, because the break of privacy issues and violation of Facebook terms by a Facebook user - i even not give an response on any channel in tried.
If you really do not give him his reward for the Report and keep you informed, than this is extremely unfair from facebook end. IN this case i strongly recommend WhiteHat Hackers in future cases: Do not count on Facebook Team, publish bugs and security issues on Blogs. Obviously the Facebook team give priority not based if a problem is urgent, only how "public" it is.
Frank
In addition to all of that, it's the right thing to do.
You stay classy Facebook.
Shows how many issues there should be that are not taken into account.
BTW: English not being the primary language for these folks has not to do with anything, shows how much stereotype there's in being American or not. It's a global world, wake up!
BR,
That being said I think Facebook could have given the reward and a slap on the wrist at the same time considering the language barrier.
So each reporter received approx. $1000? That's all?... Heh, Facebook is very greedy company.
"We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site.
We have now re-enabled your Facebook account.
Joshua
Security Engineer
Facebook "I can already picture people saying "of course, Mark Zuckerberg would refuse to acknowledge the work of a Palestinian." (regardless of the fact that Mark Zuckerberg describes himself as an atheist)
As many others have said: The TOS was only available in English and that's not his first language. He did the only thing he could to get your attention and fix the problem.
In the first email, Khalil simply says that he can post to Sarah Goodin's facebook wall. He makes no mention of the fact that he and Sarah Goodin aren't friends.
The Facbook engineer replies that he is unable to see anything from the link that Khalil sent. This is because the engineer and Sarah are not friends.
Khalil responds with a screen shot of the post. Again, Khalil makes absolutely no mention that he and Sarah are not friends at all. In fact, at this point it would appear that Khalil is friends with Sarah, as he states that only her friends can see her wall. I guess he is able to see the post he made though.
At this point, Khalil decides that the only course of action is to go post on MZ's wall. How is that sort of escalation appropriate? By paying Khalil at this point, all you are doing is telling people that MZ's account is a an acceptable place to report vulnerabilities, which is a horrible precedent to set.
Most certainly, this chap should have followed proper decorum by consistently petitioning Facebook to pay heed, by filling out the necessary forms and ensuring a stamped, self-addressed envelop was also included should they choose to write to him at a later time.
And then to go and expound his savagery to the Noble CEO's account, an utter insult to civility indeed! (Yes! I'm being sarcastic)
In the comments of the blog post, Khalil admits that it isn't that he has a poor understanding of the english language, it is just that he doesn't care.
> whatever , i dont care for miss spelling , just the idea , i never correct an underline red word ;)
So we have a guy that doesn't give a crap about communicating correctly, who then complains when he is not understood.
Otherwise, next time him or any of his friends find a vulnerability, they'd be tempted to share it with the people who would reward them, since they've seen firsthand that their reports to facebook seem to just get ignored. When you consider that his entire region is in turmoil, and that social media is clearly playing an important role in the uprisings across that region [whether you agree with them or not], you'll understand our reasons for insisting that his efforts be rewarded somehow.
Edit 1: Not suggesting that fb intentionally ignores their reports for poor English or any other reason, but that's clearly the impression they're getting.
Edit 2: And while I have no reason to believe that this guy (Khalil) would ever report a vulnerability to some dictator's security forces, others who have seen this story might. And those who have seen this need not be his friends either, since it's on HN, /r/technology, and elsewhere.
Edit 3: As tszming suggested, if you don't want to risk setting a precedent by offering cash, you could perhaps sponsor an all-expenses-paid trip (with no implications of future employment) for him to visit Facebook HQ. Granted I don't know the legal implications of this, but it does give you a chance to buy this guy lunch and tell him in person that you do appreciate his efforts, motivate him to continue reporting any vulnerabilities he finds, and tell him to encourage his friends to do the same. Actions speak louder than words, and there's no question this would have a far bigger impact than the dismissive two-liner he received, even if the intention was the same.
When the top guys behave like this about rules, it clearly shows a lack of conscience. Rules are made to keep 99.9% of mess at bay.
This guy invaded the privacy of say 1-2 people that too to when the relevant authorities didn't respond in the correct manner, and saved the invasion of privacy of millions at least.
And what privacy? only a relevant post (not a spam) on profile of the company's biggest authority.
Yeah someone probably died of laughter from that post/ breach of privacy... So DUMB!
But perhaps the bug-hotline gets so much spam that the OP came off as junk email to the FB dev team? Just skimming over his email, I'm struck by how much poor punctuation and capitalization triggers my mental spam alert (and that's before even reading the actual contents).
I'm sure the FB security team triages a lot of bug reports, and a few get away - hopefully they'll be better about trying to get more info (boiler plate requesting steps to replicate or a video), but beyond that no harm no foul. I can also see that they don't want to encourage researchers messing with real user data. However, if they paid him out and told him in the future, that he should provide more information and not use real accounts (or not get paid out, etc), that'd have the same effect (you know, since it already happened) w/o the bad will generated.
Instead, they didn't pay him, locked his account, and now we're reading that blog post, not only encouraging him and the people like him in the future to not submit these bugs in the future (certainly serious enough that it'd be worth discovering vs being in a 0-day marketplace), but generating way more visibility for no good reason. It's just not smart.
Shame on Facebook for dismissing this guy's reward due to the lazy actions of one employee. It would have taken one question, or one 5 minute validation of the claims to make this a non issue.
Edit: I'm sure Facebook engineers have something a bit more advanced that this:
https://www.facebook.com/zuck?and=khalil.shr
This link works if they know each other. Try going to your profile and adding ?and=zuck for instance
Edit: It was a tame music video. On the spectrum of demonstrating to a test account all the way through to selling his discovered flaw to actual spammers, I rate this at the low end.
Unfortunately, that didn't work either.
The TOS stuff i think i a bit shity. Partly cause they made him do it(more than necessary)
> Nope that's not a bug.
What did you expect him to do? Learn English on the fly? Conveying specific technical things is a difficult skill to learn even for native English speakers.
Sure his communication isn't the best, but neither is "I can't click that link" nor "This isn't a bug."
Pasting a link to a Facebook profile does not explain the exploit.
At first Facebook was similarly dismissive that it wasn't a bug. My friend pushed a bit to convince them with additional details and examples of how it could be easily used for exploits. They finally saw the light. The bug was fixed and my friend got paid $1K which wasn't much for the bug's seriousness. In any case it got fixed and my friend got acknowledged so it's OK.
It's a bit of a pity, thought, that they didn't see it to be serious at first. I would have expected any mediocre engineer to skip a hearth beat when learning of such a bug in their system.
Come on guys, just give him the money.
Every security report should be taken seriously regardless it comes from a well known expert or just a guy from Palestine.
Maybe Mark should just hire the guy to replace the initial bug responder.
PROTIP: Reports should have PoC and be concise. No information about your bachelor degree should be attached.
http://www.reddit.com/r/netsec/comments/1kkvei/user_reports_...