Security researcher hacks Zuckerberg's page to prove a point

Fact: All software has bugs. Applications are very complex and there are always going to be errors that the developers didn't catch. This simple truth is the reason why many software companies offer "bug bounties," cash prizes for bringing these issues up. The thought is that not only does it help make the software more secure, it helps motivate the good guys to find the problems and report them instead of having the bad guys exploiting them without anyone knowing about it. Facebook created their own bounty program two years ago.

Late last night, RT News reported that a security researcher from Palestine by the name of Khalil twice submitted a bug report to Facebook's security team. The second response simply said, "I am sorry this is not a bug." After getting nowhere trying to convince Facebook security of the problem, Khalil decided to go directly to Facebook CEO Mark Zuckerberg

Dear Mark Zuckerberg,

First sorry for breaking your privacy and post to your wall , i has no other choice to make after all the reports i sent to Facebook team .

My name is KHALIL, from Palestine .

couple days ago i discovered a serious Facebook exploit that allow users to post to other Facebook users timeline while they are not in friend list .

i report that exploit twice , first time i got a replay that my link has an error while opening , other replay i got was " sorry this is not a bug " . both reports i sent from www.facebook.com/whitehat , and as you see iam not in your friend list and yet i can post to your timeline .

this is the last email i sent including the Facebook team replay .
http://pastebin.com/zzi2WYK6

i appreciate your time reading this and getting some one from your company team to contact me .

sincerely
khalil

Within minutes of posting the message to Zuckerberg's wall, someone from Facebook contacted Khalil requesting all of the details of the exploit. The company then blocked his account while they worked on a fix. The issue was quickly fixed by Facebook's engineers, but the company is now refusing to pay the bug bounty because they claim his actions violate the terms of service.

While they may be technically correct -- he should've created a test account instead of first posting on a random woman's wall -- we feel that he was following the spirit of the rules and should still be paid for his finding. Facebook has no cap on the amount they pay for security issues, but the minimum amount is $500.

Cynics are saying that this actually may not have been a bug, but rather part of the NSA PRISM program used to spy on people, but we find that hard to believe.

Source: RT News

Report a problem with article
Previous Story

Programmer creates way to control Chromecast via Kinect

Next Story

Barnes & Noble Nook with GlowLight falls to record-low $99

51 Comments

Commenting is disabled on this article.

Thrackerzod said,
"I am sorry this is not a bug" aka "I'm too lazy to look in to it and we just don't care".

You nailed it!!

Facebook is a bug and should be removed, period, IMO!

Spicoli said,
If you pay someone that uses it outside the TOS, then you encourage more people to do it. Do you want your account hacked "to prove a point?"

He reported it properly twice prior. Once they told him it wasn't a bug.

shinji257 said,

He reported it properly twice prior. Once they told him it wasn't a bug.

And that justifies hacking people's accounts how? It seems more of a kiddie scream for attention.

Spicoli said,

And that justifies hacking people's accounts how? It seems more of a kiddie scream for attention.


If I reported a serious problem with a site that is used by Millions and received this kind of response, I'd be ****ed as well. I would hardly call this a kiddie scream. FB is apparently taking the correct approach now since they realized the guy has good intentions. see my post above.

DerAusgewanderte said,

If I reported a serious problem with a site that is used by Millions and received this kind of response, I'd be ****ed as well. I would hardly call this a kiddie scream. FB is apparently taking the correct approach now since they realized the guy has good intentions. see my post above.

I don't agree. It's a childish response to not getting the recognition that you think you deserve. If you fail to make your case, the failure is YOU and throwing a tantrum is not the answer. Learning to make technical points is a valuable skill and he should have taken the time to learn what he did wrong and fix it. Instead he's created a big black mark on his resume for anyone looking to hire him. You don't want people that pull stunts when they don't get their way.

Spicoli said,

I don't agree. It's a childish response to not getting the recognition that you think you deserve. If you fail to make your case, the failure is YOU and throwing a tantrum is not the answer. Learning to make technical points is a valuable skill and he should have taken the time to learn what he did wrong and fix it. Instead he's created a big black mark on his resume for anyone looking to hire him. You don't want people that pull stunts when they don't get their way.

"I am sorry this is not a bug" is a clear-cut reply in my opinion. They shut the door in this face. They didn't even ask "please elaborate and add more technical details" - they simply asserted that such a thing does not exist and is a feature.

Now this is of course not taking into account racism, which is wholly possible.

shinji257 said,

He reported it properly twice prior. Once they told him it wasn't a bug.


No, he reported it improperly - TWICE prior by posting on a friend of Zuckerburg's wall, that the bug reporting team wasn't a friend with and had a private profile, so they couldn't see the exploit.

That said, his improper reporting wasn't harmful, and it does sound like a pretty major bug. I reckon they should give the guy the minimum.

From the original article:
"In its latest reply, Facebook reinstated Khalil's account and expressed hope that he will continue to work with Facebook to find more vulnerabilities. "
I believe this is the right way to handle this after they've found that the hacker had good intentions.
Neowin post needs to be updated.

He was only temporarily blocked as an emergency measure while they figured out the hack. And the exploit couldn't be used to delete pages.

500 bucks minimum? Heck, Zuck shines his shoes with those bills, problems drops one on the ground and doesn't even bother to pick it up LOL.

naap51stang said,
.....

What a daft comment.

You know he's joined Warren Buffet's, Giving Challenge and contributes to the Bill and Melinda Gates Foundation right?

You wouldn't be in those clubs if you're ****ing away your money shining shoes.

HyperTallih said,
No reward? Why it's a bug!

Next time on the black market Khalil...


The problem was that he didn't follow the TOS when reporting the bug. He posted on some innocent person's wall, and then on the CEO's wall, haha. That's one way of not getting any bounty.

Normal procedure is to just test with a test account and report the technical details.

Refused to pay him due to TOS? What a POS. lol.. Next bug bounty will be held hostage. Pay me in advance or I'll use it to crash the whole system xD

Fact: All software has bugs.

no, they are not, SOME do, but NOT 'ALL'.
Generalization to condition sheeps to accept lower quality of software.

Torolol said,

no, they are not, SOME do, but NOT 'ALL'.
Generalization to condition sheeps to accept lower quality of software.

Practically all software more complex than "Hello, world!" does have bugs.

Torolol said,

no, they are not, SOME do, but NOT 'ALL'.
Generalization to condition sheeps to accept lower quality of software.

It's a generally accepted rule of programming. There is no such thing as bug free code. It can be a bug in the program, compiler, linker, or assembler but in the end it is still a bug. When people go in to fix the bug sometimes they create a new one. Eventually they deem the code "bug-free" but guess what someone else will eventually find another bug for the developers to fix.

This isn't to state that we should take inferior code but it is to accept some bugs will be present with code be it a program or a website. It is our job to report the bug when we find it so that it can be fixed.

Oh and trust me I can be persistent.

Fezmid said,

Practically all software more complex than "Hello, world!" does have bugs.

Not true. Software companies that are on the Level 5 ranking of the federal governments Software Engineering Institute are there because they create mission-critical bug-free software.

Mission critical software does not mean bug free software. Nothing is perfect. Not every edge cases can be accounted for. The best thing you can do is to try and fail in a controlled way (which is what mission critical software will do) however there are many examples of bugs in the most critical systems ever created. Just search for space shuttle software bugs or auto pilot software bugs, etc.

sanctified said,

Not true. Software companies that are on the Level 5 ranking of the federal governments Software Engineering Institute are there because they create mission-critical bug-free software.

Bug free as in they have not found any yet. I assure you that there is at least one bug lying around.

OrsenPike said,
Mission critical software does not mean bug free software. Nothing is perfect. Not every edge cases can be accounted for. The best thing you can do is to try and fail in a controlled way (which is what mission critical software will do) however there are many examples of bugs in the most critical systems ever created. Just search for space shuttle software bugs or auto pilot software bugs, etc.

17 bugs in the last 12 years.

He shouldn't have done it, Remember what happened to Timothy Spall when he hacked the Government, created a Fire Sale, then continued to escalate matters until Bruce Willis had to kill him?

I reported a bug in 2011 and got paid $2500 for it. Responsible disclosure isn't hard, just use test accounts and record a video of the bug in action so it's harder to ignore.

Javik said,
I reported a bug in 2011 and got paid $2500 for it. Responsible disclosure isn't hard, just use test accounts and record a video of the bug in action so it's harder to ignore.

Posting on the CEO's page is also somewhat hard to ignore.

Aergan said,

Posting on the CEO's page is also somewhat hard to ignore.


Yes, and against the TOS of Facebook. So no money for this guy. He messed up.

Aergan said,

Posting on the CEO's page is also somewhat hard to ignore.

The responsible disclosure policy and bug bounty policy states quite clearly that you should give time to investigate and it tells you clearly not to interact with other accounts without their permission if you have to use a real account to verify a bug

https://www.facebook.com/whitehat

Facebook's refusal to accept the bug was stupid but he should have given them irrefutable proof in the form of a video.

buggingmenot said,
They don't want to pay him because he's palestinian. Mark Zuckerberg is a Jew.

Hahaha, great comment!

Cynics are saying that this actually may not have been a bug, but rather part of the NSA PRISM program used to spy on people, but we find that hard to believe.

Lol WUT..... yes the NSA has to use a code bug to get your wall data on Facebook..... tin foil hat club assemble!

-adrian- said,
who said it is a bug.. maybe he found the api
I suspect that this is humor, but just to be clear, the bug allows you to post on someone else's wall as you.

This was just a good way for spammers to spam people, that's all. But it was definitely a bug.

pickypg said,
I suspect that this is humor, but just to be clear, the bug allows you to post on someone else's wall as you.

This was just a good way for spammers to spam people, that's all. But it was definitely a bug.

And if the security expert only found that one API call (or rather, announced he found that one)... what about the other hidden API calls to say go incognito or generally view a private account with no restriction, or view private messages of an account?

*eats his hat*

Agreed. The exploit was discovered. Damage wasn't even dealt. I believe if he didn't do it this way., they wouldn't have listened.

Jose_49 said,
Agreed. The exploit was discovered. Damage wasn't even dealt. I believe if he didn't do it this way., they wouldn't have listened.

That's why we have security bulletin posts with proof of concepts. Companies are contacted notified about the exploit, they reply back with a fix time frame and then the bug is published after said time. That way, bugs are fixed and people know what is going on.
This security expert could very well have made more money on the underground hack market for undisclosed bugs. Not sure how valuable this one would be since it's quite a visual exploit, but the market is there and facebook should be wary of how they're biting the hand that feeds it (exploit tips), the next security hole might not be relayed to them in a orderly fashion..