Note to security response teams everywhere: Not all vulnerability reporters speak perfect English, nor are they all experienced in writing up details on how to exploit issues. It is your responsibility to obtain details from reporters, after the initial report, to avoid situations like this. Facebook should give a bug bounty here, due to their lack of due diligence in following up with the initial responses.
Yeah, what the hell were they doing responding "This is not a bug." without investigating or asking for more details? What the hell is the point of even responding to possible security alerts from the general public if you're not going to investigate?
Yeah, I wonder why the guy who said "This is not a bug." isn't actually the one getting in trouble. Clearly I understand why not - but then his actions lead to the person reporting to escalate their actions to get attention. If the "This is not a bug." guy actually helped guide the person reporting to the proper, expected actions, then this would have likely gone completely differently.
Surely that person is in trouble, or will be once the relevant bureaucracy gets back on Monday morning. This is just a huge embarassment, and exactly the opposite of proper security analysis. But no one is going to admit that externally until all the internal work has been done.
It's an assumption that they even care or are looking into it. So far the resulted outcome is they are blaming the guy who didn't follow "their rules" (that wouldn't likely have been clear to him due to a language barrier). This should hit mainstream media though - because if that kind of bug exists, what else exists that Facebook doesn't even know about, that's being taken advantage of?
Before contacting the submitter, we want to be sure that we weren't missing something, but after looking at it from every angle, we still couldn't see what the issue was.
...Stumped, we contacted the submitter. "From what we can tell, the call to system takes place before you call the LoadKeyboardLayout function. Can you elaborate on how this constitutes a vulnerability in the LoadKeyboardLayout function?"
And to go further, Facebook has an office in Dubai. [0] Are you telling me if language was not a barrier, they could not find a single Arabic-speaking employee? They could even save money on the collect calls, if Facebook was not an option.
And hats off to Khaled. Hebron is not a fun place to grow up, and making it that far, a B.S. that is, is an accomplishment. I grew up with far more privilege and I am still not smart enough to come up with Facebook exploits.
Yes, right. The security team will ask the management to locate an Arabic speaking employee to handle a cryptic email, and do so for every email! That will surely scale. And employees love handling email exceptionally well.
What surprises me the most is how bad they are handling the incident! The behavior reflects that of a classic old and inflexible corporation that hides some details in their small prints to screw their customers over.
It reflects incredibly bad on their relationship with the tech community and I am sure we will see some superficial backpedaling very soon.
> The behavior reflects that of a classic old and inflexible corporation that hides some details in their small prints to screw their customers over.
You act as if corporations maliciously "screw their customers over". See the responses below and you'll see that in this specific case FB actually wins out when they pay more to their whitehats.
I hate to single out your specific response, but it's comments like this (and the other 90% on this thread) that remind me how very few people on HN have experience with businesses at scale. classic old and inflexible corporation or let's just call them "enterprises" create policies so they can protect the highest number of cases available, but not all of them. It would be silly to think otherwise.
Yes, but it is exactly these kind of policies that let enterprises, corporations or organizations look bad.
This is like getting PR advise from a lawyer when there is trouble coming your way. Sure, the lawyer will tell you to repeat "no comment" or deny any involvement over and over again. That might be the right strategy in a legal sense and work out fine when nobody is watching.
But you are loosing in the court of public opinion when the public perceives your actions as unfair. And denying some kid a few hundred bucks even so he found a legit hack just because he didn't follow some proper corporate policy guideline does definitely reflect negatively on Facebook.
> Yes, but it is exactly these kind of policies that let enterprises, corporations or organizations look bad.
And what do you propose the alternative? A legalised document that outlines every "if this"-"then that", in every language, continent, dialect, etc.? You know how that story goes...
> And denying some kid a few hundred bucks even so he found a legit hack just because he didn't follow some proper corporate policy guideline does definitely reflect negatively on Facebook.
You know what makes Facebook look even more negative? The future precedence set when good-will hackers think it's OK to use a non-test account and drop the exploit on the CEO's page.
I know it's hard for the HN community to do so, but let's try practicing some empathy with both sides before we pick up the pitchfork.
I suppose I didn't articulate that point correctly. Facebook has a policy that basically says "if you find an exploit don't do it to real people, use a test account to reproduce it". So regardless of whether it's the CEO or Jane Doe, it sets a bad precedence that reproducing the exploit in a (real) environment is a very dangerous thing.
After watching the video, it looks like the exploit involves:
1) Getting the target user's userId. This used to be part of a user's profile URL but Facebook allowed people to choose a "vanity URL" quite a while ago, so they're no longer as visible. So, instead, the userId is obtained from a FB Graph API query.
2) The form that makes up the "post to newsfeed" has a bunch of hidden inputs. One of them refers to a "xhpc_targetid" and this is probably where the target userId is injected. It's normally set to the current user's id for a default newsfeed post. These values in the DOM are modified during the exploit using something like Chrome Developer Tools on-the-fly and the form is submitted.
If this is truly the case (and I haven't verified it myself) this means that the server side is not really checking permissions and just blindly trusting the client input. Reminded me of this recent (http://arstechnica.com/information-technology/2013/08/how-ea...) article about trusting client input.
This is a pretty vicious error but common one...it sounds like the analogue to Rails' mass-assignment default protections, which were exploited on Github by tampering with the params via inspector.
Coincidentally, that bug was also exposed by a non-native English speaker who was dismissed for his inability to fluently express himself.
no, i was dismissed for some other reason. My emails (i reread them a while ago) explained perfectly where's the bug.
On this topic: i still have no clue what vulnerability it was. Guy, do you know such terms XSS, CSRF etc? Can't u just say where's the bug, nobody wants to watch 6 (!) minutes long video with arabic subtitles rofl. peace
Correct. Sorry, didn't mean to imply it was hard to obtain this value (the switch to vanity URL part was more of an anecdote) but just to describe what happened in the video of the exploit.
I'd be surprised if this were actually the exploit. If it were, I don't think it would have stayed undiscovered for so long. I'm sure that changing the "xhpc_targetid" was one component of the hack, but some of the other inputs probably had to be manipulated as well.
Ad Board Chairwoman: Mr. Zuckerberg, this is an Administrative Board hearing. You're being accused of intentionally breaching security, violating copyrights, violating individual privacy by creating the website, www.facemash.com. You're also charged with being in violation of the University's policy on distribution of digitized images. Before we begin with our questioning you're allowed to make a statement. Would you like to do so?
Mark Zuckerberg: I've...
[Mark stands up to make his statement]
Mark Zuckerberg: You know I've already apologized in the Crimson to the ABHW, to Fuerza Latina and to any women at Harvard who may have been insulted as I take it that they were. As for any charges stemming from the breach of security, I believe I deserve some recognition from this Board.
Ad Board Chairwoman: I'm sorry?
Mark Zuckerberg: Yes.
Ad Board Chairwoman: I don't understand.
Mark Zuckerberg: Which part?
Ad Board Chairwoman: You deserve recognition?
Mark Zuckerberg: I believe I pointed out some pretty gaping holes in your system.
It's funnier when FB points to some fine print and acts like bigger douches then those administrator. I would've half expected FB to have engaged this person in a whole differrent spirit, with all the well publicized "we're cool & paying whitehat hackers" PR & new articles.
Jim Denaro, @CipherLaw on Twitter, a lawyer specializing in these issues and someone who has studied bug bounty programs, twerped earlier at me:
Paying out a bounty in that situation would be legally risky. Would advise against it.
Facebook's ToS forbid you to compromise other users accounts in any way. Its bug bounty terms require the consent of any accountholder used to search for bugs. It's also bound by California laws regarding breach notifications. And over the long term, it must retain the ability to enforce its own ToS. These are just the objections I can think of.
If you're going to participate in a bug bounty program --- and you should --- don't use non-consenting accounts to do it. This is a simple issue that's been blown out of proportion by message board pathology.
Don't pay the bounty for the bug then. Pay it for identifying the weak links in the security-reporting chain. The links that shrugged the bug reporter off, from the start; didn't have, at the very least, some boilerplate to guide the reporter; didn't have avenues or rules for non-English speakers.
For all we know, the reporter might have thought, "This will never work" or is not up to speed on or didn't understand the rules. Facebook certainly didn't help him, at every turn, including the last email "Sorry, l2p."
Hey folks - I work on security at Facebook (though not specifically the Whitehat program) and just wanted to let you know we're looking into this right now.
OK - so I work on a security team at Facebook and sometimes help with reviewing Whitehat reports. To be clear, we fixed this bug on Thursday. The OP is correct that we should have asked for additional repro instructions after his initial report. Unfortunately, all he submitted was a link to the post he'd already made (on a real account whose consent he did not have - violating our ToS and responsible disclosure policy), saying that "the bug allow facebook users to share links to other facebook users". Had he included the video initially, we would have caught this much more quickly.
For background, as a few other commenters have pointed out, we get hundreds of reports every day. Many of our best reports come from people whose English isn't great - though this can be challenging, it's something we work with just fine and we have paid out over $1 million to hundreds of reporters. However, many of the reports we get are nonsense or misguided, and even those (if you enter a password then view-source, you can access the password! When you submit a password, it's sent in the clear over HTTPS!) provide some modicum of reproduction instructions. We should have pushed back asking for more details here.
However, the more important issue here is with how the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behavior for a white hat. We allow researchers to create test accounts here: https://www.facebook.com/whitehat/accounts/ to help facilitate responsible research and testing. In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent.
As you can see at https://www.facebook.com/whitehat, in order to qualify for a payout you must "make a good faith effort to avoid privacy violations" and "use a test account instead of a real account when investigating bugs. When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing. Do not interact with other accounts without the consent of their owners." Unfortunately, the OP did neither of those things. We welcome and will pay out for future reports from him (and anyone else!) if they're found and demonstrated within these guidelines.
"As you can see at https://www.facebook.com/whitehat, in order to qualify for a payout you must "make a good faith effort to avoid privacy violations" and "use a test account instead of a real account when investigating bugs."
I just looked at it, then switched Facebook to Arabic and the TOS is magically still in English (edit - and right aligned really badly as the page evidently expects arabic). If you demand that the TOS is followed by people who do not have English as a first language, try offering a translation.
This guy has done you all a service. The chances are that he may not have been able to clearly read the TOS that you wish him to abide by. He should get paid.
edit - hmm, was about to check the situation with other languages, however now all the buttons are in arabic so I stopped bothering after the fourth random page.
Great point and I hope the FB security team take notice of your post. Whether or not this guy gets paid, I certainly hope they spend the money to get proper translation of their policies in every language they operate in.
They can't pay people to violate their terms of use or to try to violate the privacy of their users. Even if they wanted to, they're probably not allowed to do that.
So if a security bug was discovered using methods that are against the TOS then the information about the bug is worthless for them and it's better to sold it elsewhere.
The whitehat page explicitly says that you must “not interact with other accounts without the consent of their owners” in order to qualify for the bounty. So yes, apparently Facebook can deny payment and suspend your account if they can reasonably suspect that you violated someone's privacy during bug discovery.
However, it seems that if you don't give them any clues in your report, they'll close their eyes and won't investigate carefully that possibility.
Well according to Facebook, "this is not a bug". Which means the feature works as intended. If he is using Facebook as it is intended, then how can he be breaking the TOS?
When an employee whose job it is to evaluate security issues says "this is not a bug", that determination carries the force of law the same way as if it appeared in the TOS. You cannot rely on people to follow some nebulous "spirit of the TOS" when meanwhile your employees have already made a contrary specific determination for how it applies to this particular bug.
They wouldn't paying him to violate the terms ... and it's not like Facebook has any problem with changing a user's privacy settings without permission - except I guess we probably somewhere in the agreements agreed to allow that, or not hold them accountable - probably both..
"Please use a test account instead of a real account when investigating security vulnerabilities. When you are unable to reproduce a security vulnerability with a test account, it is acceptable to use a real account, except for automated testing."
It's translated. I believe it requires you to be in a local to get this page to display automatically. It certainly exists for people creating accounts in arabic, and absolutely includes the relevant lines.
Does it concern you that ultimately the way the OP got your attention is by posting to MZ's account? Are you sure you'd have ever "discovered" it if he hadn't? I agree that the OP didn't do a great job, but if he's submitting a vulnerability that you really want to hear about and you're ignoring him because of some miscommunication and you ding him for doing the one thing that gets your attention, you're creating an environment where you're less likely to find out about these things.
I think there's a spectrum between letting whitehats do anything (including violating privacy, hurting real user accounts, etc) vs. suing everyone who changes a GET param somewhere. Having a whitehat program with (IMO reasonable) guidelines around not impacting unsuspecting real users seems to me like a good balance and is fairly close to the first part of the spectrum.
Obviously I don't love the end outcome, and this would have gone better for all parties if he had used a test account and included some kind of repro instructions (like that video) in the initial report.
>this would have gone better for all parties if he had used a test account and included some kind of repro instructions
Clearly, but that's not really something you can control. From your perspective, the other side of the tradeoff with "hurting real user accounts" is "leaving open a huge security hole", not "being mean to whitehats when they screw up". I don't disagree that the guidelines seem quite reasonable prima facie and perfectly fair to to the whitehat in some moral sense, but it's unclear if they're actually working. It boils down to, if you had to choose between finding out about this security hole the way you did or not find out about it at all, which would you choose? How many not-quite-so-aggressive versions of this guy are out there, and how many holes are you leaving on the table? Edited to add: If an important way of finding vulnerabilities is people breaking the rules, then the rules suck, regardless of their intrinsic fairness.
It could well be that keeping not-great-communicator/guideline-follower whitehats from reporting some number of bugs through questionable means is actually worth those flaws sticking around. Of course I don't see the daily flow of vulnerability reports to FB (or all the ones that don't ever get reported), so I don't know. But it sounds like a harder question than you make it out to be.
Again: how exactly do you propose that they write a policy that compensates people for violating the security of their users? Not the security of Facebook, but the integrity of their actual users.
We all know this person had good intentions. But good intentions aren't always enough. Facebook doesn't appear to be freaking out at him. They just can't pay him for having demonstrated a vulnerability by hacking someone's account.
Firstly, no idea how you can conclude he hacked an account. A bit strong of language there? Second, does reason not come into play here? You don't have to write a policy to compensate people for violating privacy - however if you have a human making decisions, and not just a drone following written orders, then the ability to make compromises exist. Just no one at Facebook wants to engage and be human it seems.
> Firstly, no idea how you can conclude he hacked an account. A bit strong of language there?
This is like... the textbook definition of a hack.
> however if you have a human making decisions, and not just a drone following written orders, then the ability to make compromises exist. Just no one at Facebook wants to engage and be human it seems.
I love that this statement is downthread of a Facebook engineer's comment that states he considers the guidelines reasonable. It's as if you're just a drone following written orders without the ability to make compromises.
>> Firstly, no idea how you can conclude he hacked an account. A bit strong of language there?
>This is like... the textbook definition of a hack.
Perhaps of "hacking FB", but he didn't "hack an account".
I don't see what the problems are for FB here. They have a moral obligation to reward him for reporting this bug, especially since their ToS are apparently not available in Arabic. Claiming that he showed any sort of malicious/inappropriate behavior is a really bad tactic to save some money when they clearly handled this very badly from the start, while his intentions were obviously good.
All they are achieving by reacting this way (including the apologets) is that next time, such people will just sell their exploits on the blackhat market.
I don't think has anything to do with saving money. It really seems like a case of trying to take human judgment out of the equation. Strict adherence to rules is easy for bean-counters to push but frequently problematic for dealing with real world situations because rules are never perfect.
Facebook really doesn't need to save $10k by not paying this guy. It's about upholding the terms and not setting a precedent.
The blackhat market for Facebook exploits is not huge because the product is centrally controlled and can be patched at any time. It's not like 0-days for products with individual installations that aren't centrally controlled with forced updates - those are clearly valuable.
What incentive does the engineer have to look deeper, and more holistically at the situation? None, especially if he doesn't want to create friction within the company - he can just sit comfortably having followed written protocol. A human with compassion can make compromises, someone following orders can't.
In as much as he posted on another account's timeline without permission, he "hacked" it in the "unauthorized access" sense of hacked.
re: reason; where does his reason come into play? It does not seem reasonable to post to M.Z.'s timeline, I'd guess he did that because he was P.O.ed at being dis'ed by the support people.
In the bureaucratic theory I am aware, if you have rules (policies, proceudres, standards etc.) you need to apply them consistently. Sometimes the rule will allow for discretion, sometimes not. I don't see room for discretion here.
I believe you're comprehending his actions wrongly. He stated before he'd be able to post even onto M.Z.'s timeline, to announce that this isn't a narrow scope issue, and that it was to gain attention. I see no malicious or angered. If of course M.Z. all of a sudden sees some guy, who isn't a friend, posting to his wall - you think he might actually look into it, right?
Yeah, rules that don't take into account reason are inhumane. Similarly why we don't just give everyone 10 years in prison because they committed a crime - you take into account all aspects - and not just apply "oh but he committed a crime, so this is the result."
> They just can't pay him for having demonstrated a vulnerability by hacking someone's account.
I don't see why that is. They already provide the following caveat:
> When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing.[1]
So I don't think there's some kind of legal issue there, if that's what you mean. And you could provide other caveats, like, "you can use a real account if no one is listening to you" (I grant that this may not have helped here either).
I'll reiterate what I said above, which is that the policy is fine, as long as everyone recognizes that it has a strong potential to reduce the security of Facebook. And that ought to raise some sort of alarm, right?
He didn't try to reproduce the bug with a test account though. If he had and it hadn't worked, the fact that he then used a real account would've been acceptable.
"Can't pay him" sounds like bureaucracy BS. I'd argue that it's in their best interest to find a way to pay him. Why make people jump through hoops to report an exploit in your product?
However, it also sounds to me like an opportunity for a bug / exploit reporting proxy business that validates, reproduces, and polishes reports in bulk. You most certainly could extract a much higher bounty per report.
"Can't pay him" doesn't sound like bureaucracy BS, they don't pay him because he violated the TOS, it's on purpose. We could argue this is stupid and the TOS should be changed, but I can understand why they specify that in the process of reporting a bug you use a test account. Violating a real user privacy to report a bug isn't the proper way to report a bug. If they made an exception with this guy then they would have to make more exceptions and possibly set a bad precedent.
I disagree. I don't think that making a case by case assessment is opening the floodgates (that argument is exactly what I would call bureaucracy BS). For an exploit of this severity I would expect them to be grateful to someone who was obviously not being malicious regardless of some silly policy.
How would you feel if he found an exploit that allowed him to make all your private messages public and proceeded to report this by leaking your inbox?
I'm no fan of Facebook, but even I can see why they can't ever encourage such irresponsible behaviour.
Well, we don't need to assess fictional scenarios, we can take a look at what this hacker has achieved.
1) Lots and lots of negative press. (we wouldn't talk about this if this wasn't true)
2) Embarassing the CEO of a company and thereby also hurting the reputation of his company
3) And on top of that he breached his privacy
And you still think that they treated him too harsh by withholding payment?
I mean couldn't he have waited a few more days or reopen the ticket - or maybe just use Facebooks test accounts?
It's not like he waited for ages, he brought this bug to attention last friday.
But yeah, waiting a whole weekend was probably too much for him to take, so he obviously had to post on MZs wall.
It would be great if they said "We can't pay him" publicly then just cut him a cheque privately with the understanding that he not tell anyone he got paid. This way, they can go on with the TOS saying you can't affect real users with your hacks, and the dude that blew the whistle gets the reward.
> how exactly do you propose that they write a policy that compensates people for violating the security of their users? Not the security of Facebook, but the integrity of their actual users.
Otherwise, you should make some good faith effort to not assume devious intentions on someone making a good faith effort to report problems.
> They just can't pay him for having demonstrated a vulnerability by hacking someone's account.
Technically, according to the security person at Facebook, it wasn't a bug. When he did the same thing again on Mark Z's account, it suddenly became hacking. Yeah, he didn't follow a procedure that wasn't available to him in his native language, but he made a good faith attempt to report the bug, and did so several times.
> But good intentions aren't always enough.
Several attempts to contact them despite being told the actions he was taken was not a bug despite clearly explaining why it was?
Slightly off topic, but it would be nice if the test accounts really worked all the time. I've seen a number of cases where entire sections of the site (e.g. http://developers.facebook.com) that error out (return 500's) when using whitehat test account's auth info. This leaves us with little choice but to use real accounts in some cases.
But a member of your team was in control of the outcome and messed up. This guy really wanted to make sure that you guys saw the issue in spite of a member of your team screwing up.
You should be rewarding him, not discouraging him.
I know arguing with someone as stubborn as you is useless, but what can I say?
I hope that the fb'er who replied to him saying "this is not a bug" has been retrained to use the words "we are unable to reproduce this issue, please provide further information or perhaps a video demonstrating the bug".
So no one reasonable is allowed to actually make a decision eh? Must be shitty working at Facebook if decisions don't have a human-compassionate influence to them.
It's plain simple corporativism. The guy escalated the issue to their boss and they are not happy. Since this is probably a failure at multiple levels, they will fight back. It really sucks but it's all very unexpected.
He stumbled around a bit trying to work out how to help, but he brought a flaw to your attention in what he thought was a polite way. If unleashed, this bug could've been used to wreak havoc on Facebook and damage the company's reputation. $500 is the very least FB should be paying.
Exactly, no harm was intended or done. Somebody posting on your wall doesn't even really impinge on your privacy (Hell, for all intents and purposes Facebook do it for profit). Whatever reward, perhaps reasonably reduced, they pay this guy will be cheaper than any bitterness earned from sitting behind a wall of pedantry with big fat righteous grins on their faces.
If they bothered to look at his profile (it's public), they'd see he looks to be a great fan and tinkerer on the Facebook platform.
You're doing good work. Don't be discouraged. You clearly have some talent, and you can do positive good with it. Large companies are wedded to their rules, terms, and systems. As you work more on these sort of things, the process will get easier. As you can see, there are many supportive people here.
Why wouldn't it be? At worst, wouldn't facebook be the aggrieved party, and not another user of facebook?
Suppose I hacked into a bank and stole money from some account. Would the person whose account was hacked be able to have some legal recourse against me? I'd imagine it would be the bank.
If this is the case, then surely facebook could just choose not to press charges, and if so, what would be unlawful paying him in that case?
The bank example's a tad off when trying to draw a correlation to this particular case. I do agree with your sentiment though.
I would reword it and say: if someone pointed out to a stubborn bank manager who refused to listen that the vault and my h of the bank's money was easily accessible, by taking out afew dollars from the bank & handing it to him. The a very embarrassed manager would be right to reward the person for showing the institutions flaw and not robbing them blind.
They might even throw a little fanfare his/her way to send a message that the bank appreciates being told and not robbed blind. (Especially given that they're a "community bank" built by pioneers and not a monolithic marble statue institution :-P)
Posting something on someones wall isn't so much invading as it is leaving a sticky note on their door. By that metric UPS invades peoples homes quite regularly when they fail to deliver a package. Had he actually accessed any non-public details of a users account that might be one thing, but the only data he was able to view was the post he had created himself. In short, it was his data, from his account, it just happened to be located on someone else's page. Honestly it's not even that bad of a vulnerability, more like a mild nuisance.
They will pay for reporting of the bug. What's with the apparently intentionally inaccurate description of his actions? All he did was post to someone's wall, that's hardly "invading someone's account".
You're right; I am officially derisive of this discussion. You know I'm not making an argument by trying to characterize this person's actions as malicious, but you keep raising that idea as an issue, because you actively don't want to understand what's happening in this situation, but would prefer instead to demonize Facebook's security team.
You seem to be making an awful lot of excuses to not just pay someone who brought to light a critical exploit. Do you work on the security team or are you a lawyer (maybe with a panicking accountant looking over your shoulder) trying to find fine print reasons say, "Aha! We can save money to our bottom line in this instance!" ? Do you know how silly it looks for you to make these excuses?
The situation is the guy in good faith tried to give them repro steps and report a critical bug. Technically he fucked up and didn't do it on a white hat account. No harm was intended or done. They are denying him his reward based on a technicality. If that FB employee is not some lawyer trying to cover their asses, then he should want to pay this person and make it happen via some exception. If they truly didn't care about the money and wanted to pay more bounties they would do this. There is no danger of ruining the integrity of the ToS as another replier suggested. In future incidents they are free to not make an exception. In this case, it was all in good faith and the guy didn't know the proper procedure.
They're not "denying him the reward". He demonstrated the vulnerability on someone's actual account. They can't pay people to fuck with other people's accounts. That's not what bug bounties are about. Only on a message board is this hard to understand.
A very specific message board, it seems like. /r/netsec is having no trouble understanding it.
Which leads me to believe most people commenting are not doing so with an actual understanding of the situation, and are instead viewing this solely as Big Bad Facebook vs innocent hacker.
No, you just refuse to think about the larger picture. I went out of my way to say that this person wasn't deliberately harming anyone.
You're acting as if there's no precedent implicated in Facebook learning of someone violating both their normal ToS and the terms of their bug bounty program by compromising someone else's account, and then paying them a reward.
It's understandable it's just not the right mentality towards someone that hacks for profit and bug bounties generally target this ($500 though is hilarious). Effort and time is supposed to be directly related to payout, if it takes more effort and time for less of a payout then the bug reporting is broken.
That is a vague reply with no apparent relevance to anything I said except the amount $500 which was not to be taken literally. My point was that facebook isn't doing this to save money and believing so is idiotic.
You apologise and pay the guy. Then you write it up as a public case study in very simple English. At each step point out what he should have done. That means the next people know what to do, and everything comes out positively from this.
At the moment the loud and clear message is that there are far more welcome places than Facebook to report found issues.
Is your whitehat page translated to other languges? If I select a different language, only the login and footers are translated. I don't think you can reasonably assume that non-English speakers can understand the entirely English whitehat page.
Additionally, if you're not logged-in, then the test accounts page doesn't work. It redirects to the same page as facebook.com/whitehat, with no notification that the test accounts page even exists.
The right thing to do is add Khalil to the white hat list, and pay him what he deserves. He doesn't speak or read English as you have noticed. Your TOS for white hat page is NOT even translatable.
He used real accounts because your team did not care what he had to say. What do you think he should have done? Sell it to the black market?
But couldn't your team be a bit grateful? Though he did post to Zuck's account, he didn't sell the vulnerability as a zero day on the black market, no?
A cheap insurance policy, making the payout, cultivating trust with white hats who are nonetheless decidedly a bit bone headed (if not well meaning).
I agree with you that facebook should not pay for the bug since he violated the policy, instead, facebook can consider offering him an interview opportunity and sponsor him a trip to facebook.
> many of the reports we get are nonsense or misguided
Alright, here's a preemptive question for you then.
Should a logged in user be able to retrieve the email addresses of an arbitrary friend, regardless of their contact privacy setting being set to "only me"?
Thanks also that was a typo. First time I have ever heard it was in these comments. We don't ever use it where I work and I deal with customer reported bugs every day.
This is crap and you're embarrassing yourself and Facebook.
You all are lucky that people are sharing this stuff with you guys for $500 instead of on the black market for much more. You're also lucky that people are doing the job that highly-paid Facebook engineers should have done. And if I read between the lines of your post, you and your team think that you're pretty clever.
The right thing to do is to cut this guy a check for $500 and keep your mouth shut, before people stop reporting security bugs to you.
I know I'm already discouraged--if I find anything, the last thing I want to deal with is a mediocre engineer telling me I didn't fill out the TPS form the right way.
the language barriers are enough to justify any mistakes made in conforming precisely with the t&cs. he didn't abuse the hack. he reported it to you. pay him tbh.
Although, Mr. Shreateh did not follow the Facebook TOC to the letter, as written by Facebook's legal team, he did operate in good faith, according to the Yahoo article, quoted below. Whether or not Facebook legally owes Mr. Shreateh $500 + change or not, the potential PR costs and being "cheap" image is one I would hope does not attach itself to Facebook - leave that to Walmart.
"So when a security researcher named Khalil Shreateh from Palestine found a bug that let him post stuff to other people's Walls, he reported it to Facebook.
That bug is a spammer's dream. To prove his bug was real, Shreateh posted something to Sarah Goodin's wall, a friend of Facebook CEO Mark Zuckerberg.
He then contacted Facebook's security team with the proof that his bug was real, he explained in a lengthy blog post.
Facebook has a bounty program where it pays people to report bugs instead of using them or selling them on the black market. In this case, instead of fixing the bug and paying the researcher the $500+ fee, Facebook told him "this was not a bug," according to an email that
Shreateh shared.
Shreateh says he tried a second time to warn Facebook and when that didn't work, he used the bug to post a message to Mark Zuckerberg's Wall."
You discover a bug on FB just by being a normal user not a "whitehat" security user:
* You discovered it by doing "something" to someone else account --> FB will not pay : SELL on black market.
* You think the bug isn't really a bug but then it happens again --> FB will not pay : SELL on black market.
* You have a life that you don't want to waste with reading through legalese and filling out forms. FB says it is not a bug. Maybe they are right? You don't want to spend the time arguing about it over email --> SELL on black market
* You are not a lawyer, or do not do security testing full-time on FB. Or you are a normal user who has not kept on the FB ToS now that we are on the 100 billionth version --> You probably did something wrong. --> FB will not pay : SELL on black market.
* You are a US citizen and do not want to be charged with CFAA violations as a hacker --> SELL on black market.
So can I report the same bug under the guidelines and get paid for it, or did you rob him and patch it already? Just pay the man, as a programmer a simple bug like this is a huge no no in the engineers part, and not rewarding the user for his conduct is plain selfish of the company.
Facebook is wrong on this issue. OP made a good faith effort to report the problem. When this failed, he demonstrated the bug in a non-destructive way. He did not post maliciously, nor did he use the bug to obtain confidential information. When the channel set up by Facebook failed, he took the problem to the CEO. I will post this issue to various social media outlets until the OP is fairly compensated. Facebook's actions here are deplorable and discourage users' efforts to report bugs.
I worked in FB before so I understand that it's kind impossible to track all the bugs/reports received without clear information provided. However, you can easily tell this guy is humble and not really trying to show off, it's the one who simple wrote "this is not a bug", instead of asking for more information, putting him to actually hack Mark's page.
For a better PR, pay him and use this case as an example to teach the future whitehats. FB has low esteem for a reason.
Exploiting bugs to impact real users is not acceptable behavior for a white hat
It's pretty arrogant of Facebook to redefine the meaning of white hat don't you think? Posting to the Facebook founders page to let them know of a security vulnerability is not malicious, plain and simply, not. Trying to steer the embarrassment of your failings because this guy didn't read your TOS is incredibly hypocritical.
And you base that on what? Sending someone a message to give them a heads up on their security, no matter the medium used, is not malicious behavior, if you feel it is .. well, the world must be a very scary place for you.
With all respect, obviously you was able to reproduce the bug and fix it. Maybe you forget, that language barrier to Palestine can be an issue too, so because you make not clear what you asking for, when he send you back a link. Obviously it is more work to post on Mark Zuckerbergs Page than respond in the way you want.
Plus i am very sure, the mistake was on Facebook ends in the first place. I experienced it myself: Since 6 month now i try that Facebook take action, because the break of privacy issues and violation of Facebook terms by a Facebook user - i even not give an response on any channel in tried.
If you really do not give him his reward for the Report and keep you informed, than this is extremely unfair from facebook end. IN this case i strongly recommend WhiteHat Hackers in future cases: Do not count on Facebook Team, publish bugs and security issues on Blogs. Obviously the Facebook team give priority not based if a problem is urgent, only how "public" it is.
In all honesty I think you guys are being extremely harsh with a man that has pointed a huge problem on your website. He has done Facebook a huge favour and instead of paying him, you have the nerve to refer to a TOS not written in his first language as an excuse.
This will lead to bad publicity for a multi million dollar company like yourselves. The man looks really poor and if he wanted to he could have made a lot of money selling that exploit to spammers. However he decided to do the ethically right thing, only to be stabbed in the back by Facebook. I cannot believe that a company of your size and magnitude would stoop so low, its pathetic!!!!
Just on that basis I will boycott Facebook as your organisation seems to have lost all of its good morals!!!!!
By him demonstrating something which Facebook clearly stated "...is not a bug" at the time, Facebook can't claim he violated the ToS. If it was not a bug, he was taking advantage of a feature which Facebook gave him the liberation to by stating so. The moment Facebook claims it is a bug, that contradicts what Facebook told him in the email, and thus it is Facebook's fault, not his. Facebook REALLY should not have said "this is not a bug." Facebook then had few options: to leave this as a feature (which is ludicrous), or treat it as a bug and redact what was stated in the email, which means Facebook should pay the damn man. You can't lie in an email and then pull a 180 when it's convenient for you.
What you've just done is create a disincentive for "researchers" to report vulnerabilities to you. The next time Kahlil or someone else finds a vulnerability (and there will be a next time), he/she/they will simply use it and/or sell it. Kahlil did the right thing, at the end of the day, and only broke Facebook protocol in order to get your attention because you ignored his first (legal) notification of said bug. If you don't pay him, you'll have a hard time with credibility in future cases.
In addition to all of that, it's the right thing to do.
If you admit that "you should have pushed back asking for more details" than you should also admit that because of that, you are partly liable for the fact that he did go beyond the explicit rules. Now, are those rules also in Arabic? Also, how are you to encourage users to work with you in a quick, efficient manner, if these kinds of things are bogged down with red tape? It's only $500. Perhaps, you should change your rules to make the system for bug reporting easier, efficient, and a bit more egalitarian. Best,
LJ
That's ridiculous, he didn't use the accounts of real people. Real people wouldn't have elicited the FB security team response within minutes. Real people don't have a "follow" button on their wall. He used the one account that got your attention and was not malicious and he deserves to be paid. You know damn well your terms are meant against maliciousness and spammers. Your stance is petty.
You guys should hire the guy since he showed the world what a big flaw that was, instead of selling it he kept on trying to tell to the company. He should be seen as a hero by Facebook!
Shows how many issues there should be that are not taken into account.
BTW: English not being the primary language for these folks has not to do with anything, shows how much stereotype there's in being American or not. It's a global world, wake up!
I think we all know the signal-to-noise-ratio on the internet is a bit whack. So it seems entirely plausible that this was all due to an improperly formed submission.
That being said I think Facebook could have given the reward and a slap on the wrist at the same time considering the language barrier.
Considering the language barrier, a slap on the wrist is less appropriate. Facebook could have used this opportunity to publicize explaining to Khalil that his bug finding techniques are not in accordance with the guidelines and garner good will by paying him the $500 as an exception to the rule. The media would be frantically covering how facebook in spite of its guidlines decided to thank the person who reported the bug and overlook an apparently innocent mistake. A missed opportunity on facebook's end.
So the security person who said "This is not a bug," - what's happening there? If they had guided the guy reporting the bug, asked for more information or directed him to the expected methods for reporting, then this would have likely gone completely differently, right?
By the time he'd reported it, he had already used the exploit to post on a live, non-friend, account. As far as I understand , that's already a violation of the TOS.
It's fairly obvious he didn't understand the whole whitehat accounts he should have been using. English isn't his first language, so should we fault the guy for that - or Facebook who's an international company - with 1+ billion users? Or should Facebook own up to that they should probably update their documents - or give the guy a fucking break because they haven't done that? This is where you need REASON to react REASONABLY, and not just use a blanket statement to "make their life easy" in decisions like this. That's lazy and inhumane.
Highly unfair that you aren't paying him, TOS or not. Additionally, one could argue that your TOS is bad to begin with. It could be re-written to properly account for this situation. This guy did not have malicious intent - that is the bottom line and all that matters here.
You could have just replied with the name of a test account and told him to post to that one to verify the exploit. In that way you would avoid any permission problems with real accounts.
Pay the guy! He could have sold it and made lots of money. He was trying to do the right thing. Too bad he had to go to such extremes to get someone's attention.
How about looking into paying this man for his honest bug finding work? The response from FB on this is disgusting.
"We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site.
We have now re-enabled your Facebook account.
Joshua
Security Engineer
Facebook "
Non-rhetorical question: is your team concerned that not paying out a bounty for this report may be exploited by anti-semitic groups?
I can already picture people saying "of course, Mark Zuckerberg would refuse to acknowledge the work of a Palestinian." (regardless of the fact that Mark Zuckerberg describes himself as an atheist)
As many others have said: The TOS was only available in English and that's not his first language. He did the only thing he could to get your attention and fix the problem.
I'm not sure how Facebook was supposed to know this was a vulnerability. If you look at the actual conversation it looks like Khalil is reporting the ability to post on other people's walls as a vulnerability.
In the first email, Khalil simply says that he can post to Sarah Goodin's facebook wall. He makes no mention of the fact that he and Sarah Goodin aren't friends.
The Facbook engineer replies that he is unable to see anything from the link that Khalil sent. This is because the engineer and Sarah are not friends.
Khalil responds with a screen shot of the post. Again, Khalil makes absolutely no mention that he and Sarah are not friends at all. In fact, at this point it would appear that Khalil is friends with Sarah, as he states that only her friends can see her wall. I guess he is able to see the post he made though.
At this point, Khalil decides that the only course of action is to go post on MZ's wall. How is that sort of escalation appropriate? By paying Khalil at this point, all you are doing is telling people that MZ's account is a an acceptable place to report vulnerabilities, which is a horrible precedent to set.
I'm surprised you're not taking him to task for his poor grammar, sentence structure and obvious misspellings. To say "replay" when he means "reply", how the hell did his accent make it into his writing? Quite obviously his reports were ignored.
Most certainly, this chap should have followed proper decorum by consistently petitioning Facebook to pay heed, by filling out the necessary forms and ensuring a stamped, self-addressed envelop was also included should they choose to write to him at a later time.
And then to go and expound his savagery to the Noble CEO's account, an utter insult to civility indeed!
(Yes! I'm being sarcastic)
I don't know why you are being sarcastic. I don't make one mention of Khalil's grammar. I understand that everyone's first language isn't english, but Khalil isn't even making an effort to be clear or accurately communicate what the problem is.
In the comments of the blog post, Khalil admits that it isn't that he has a poor understanding of the english language, it is just that he doesn't care.
> whatever , i dont care for miss spelling , just the idea , i never correct an underline red word ;)
So we have a guy that doesn't give a crap about communicating correctly, who then complains when he is not understood.
My views below are not directed at you individually.
Through my sarcasm I was trying to convey the often imperialistic (and in my opinion useless douchebaggery) view we tend to take on certain matters and people, which, I believe, hinders communication and progress in general. It's not just a language barrier, it's a cultural barrier. One that exists even between people who speak the same language. (Don't know if the social media movie scene with Zuckerburg being reprimanded by Harvard was based on real events or pure fantasy, but that's a good example)
So he ignored some squiggly red lines, maybe his command of English is marginal. Maybe he's worried about bullets possibly flying over his head in a few minutes or in a situation that many of us in the west couldn't fathom. I've had to communicate in Spanish before and I know I probably slaughtered the grammar, spelling and more, but at that time I was trying to convey an important message. Fortunately the people I was speaking with were very kind and patient. They listened and somehow understood the sentences and symbols I had cobbled together.
We have this whole attitude that if someone doesn't fit our cultural context in language or behavior, their are somehow inferior, is absolute BS. I have seen programmers with a an accent perceived as being "dumb", while in fact they were far better than their peers. I myself have been subjected to this type of bias, when I forgot to follow some proper decorum somewhere, simply because I was broke and had more important things on my mind. This is typical of out-of-touch monolithic institutions and the type of thinking that goes with it. It's outright absurd and funny, just like my sarcastic comment :)
You are correct, I completely missed that. However, he again fails to provide any sort of explanation of what he did to perform the attack. Even if he had reverted back to his native language, he never even attempts to explain what he did to perform the attack.
Figure out another way to reward this guy (maybe tell him that it's a gesture of goodwill only) and reward him. It doesn't have to be from Facebook, Inc, but he should get something from somewhere.
Otherwise, next time him or any of his friends find a vulnerability, they'd be tempted to share it with the people who would reward them, since they've seen firsthand that their reports to facebook seem to just get ignored. When you consider that his entire region is in turmoil, and that social media is clearly playing an important role in the uprisings across that region [whether you agree with them or not], you'll understand our reasons for insisting that his efforts be rewarded somehow.
Edit 1: Not suggesting that fb intentionally ignores their reports for poor English or any other reason, but that's clearly the impression they're getting.
Edit 2: And while I have no reason to believe that this guy (Khalil) would ever report a vulnerability to some dictator's security forces, others who have seen this story might. And those who have seen this need not be his friends either, since it's on HN, /r/technology, and elsewhere.
Edit 3: As tszming suggested, if you don't want to risk setting a precedent by offering cash, you could perhaps sponsor an all-expenses-paid trip (with no implications of future employment) for him to visit Facebook HQ. Granted I don't know the legal implications of this, but it does give you a chance to buy this guy lunch and tell him in person that you do appreciate his efforts, motivate him to continue reporting any vulnerabilities he finds, and tell him to encourage his friends to do the same. Actions speak louder than words, and there's no question this would have a far bigger impact than the dismissive two-liner he received, even if the intention was the same.
So what does this guy gets for reporting one of the most relevant bugs that could have exploited the privacy of a billion people? PEANUTS!
When the top guys behave like this about rules, it clearly shows a lack of conscience. Rules are made to keep 99.9% of mess at bay.
This guy invaded the privacy of say 1-2 people that too to when the relevant authorities didn't respond in the correct manner, and saved the invasion of privacy of millions at least.
And what privacy? only a relevant post (not a spam) on profile of the company's biggest authority.
Yeah someone probably died of laughter from that post/ breach of privacy... So DUMB!
So they get the exploit and fix it without paying the person who found it. These kinds of actions lead exploit finders to instead pursue rewards through the black market. Very sad indeed.
The OPs English is not excellent (but way better than my Arabic)...but I'd be interested in hearing the FB responder's rationale for dismissing the initial submission. Language barrier aside, the link and the image provided should speak for themselves.
But perhaps the bug-hotline gets so much spam that the OP came off as junk email to the FB dev team? Just skimming over his email, I'm struck by how much poor punctuation and capitalization triggers my mental spam alert (and that's before even reading the actual contents).
Wow, upvoting this and I really hope it goes viral and FB gets called out for it. Hopefully he can get the bug bounty he deserves. That's incredibly sleazy of FB to treat him this way.
I'm surprised at how many people just assume the FB sec team doesn't want to pay and therefore tries to not pay if they can get away with it. Their history of paying out is completely the opposite. I've reported several bugs and they're always extremely helpful. They're not an insurance company that wants to reduce cost by screwing over users and there is no historical evidence of that. They want to pay for bugs and get as many of them as possible. What they don't want is for researchers to mess with other users' data. The guy could have just used two accounts to demo (he managed to create a new account after his own account was blocked). Using Zucks account doesn't make it more convincing from a tech perspective. It only makes the guy taken less serious as most researchers care more about how it works than messing with accounts of famous people. Not the smartest move. I understand the sec team draws a line and doesn't pay researchers that mess with other people's data. That's not sleazy, that's sane otherwise it gets exponentially worse as people try to outdo each other in terms of impact instead of focusing on explaining the technique behind a hack.
"Using Zucks account doesn't make it more convincing from a tech perspective." - In this case, that's obviously false. The guy submitted the bug twice and the final reply was "This is not a bug." After posting to Zuckerberg's account it was subsequently fixed.
I'm sure the FB security team triages a lot of bug reports, and a few get away - hopefully they'll be better about trying to get more info (boiler plate requesting steps to replicate or a video), but beyond that no harm no foul. I can also see that they don't want to encourage researchers messing with real user data. However, if they paid him out and told him in the future, that he should provide more information and not use real accounts (or not get paid out, etc), that'd have the same effect (you know, since it already happened) w/o the bad will generated.
Instead, they didn't pay him, locked his account, and now we're reading that blog post, not only encouraging him and the people like him in the future to not submit these bugs in the future (certainly serious enough that it'd be worth discovering vs being in a 0-day marketplace), but generating way more visibility for no good reason. It's just not smart.
Just saw this on the front page of Google News, on CNet - looks like we've done it! Good for Khalil for getting the exposure he deserves, and I hope FB backtracks on their idiocy.
Looks like if you edit facebook in firebug while you are posting a link to your newsfeed you can change the source userid which is not validated/checked and gets posted even though you dont have the permission to do it
Have to agree with everyone here. The first email gives enough information to base a case on. Enough to simply do a quick search and verify these people aren't friends. I get less information than this from users for a product we support, it's frustrating, but if you don't investigate each lead as a potential you run the risk of having it snowball.
Shame on Facebook for dismissing this guy's reward due to the lazy actions of one employee. It would have taken one question, or one 5 minute validation of the claims to make this a non issue.
How does the first email contain enough information to base a case on? All he says is that he can post links to other people's walls. He makes absolutely no mention of not being the target's friend.
Hmm well the implication made sense to me. It would have taken a few seconds to see that these people weren't friends. And all the engineer had to do was ask at least one question to probe for more information instead of a dismissal.
Edit: I'm sure Facebook engineers have something a bit more advanced that this:
This obviously is cause of language barrier. It seems bug reporter didn't have any evil intentions but was just trying to get attention of facebook so this can be fixed. so I think he should paid. maybe you can ask for an apology for tampering user data as he was wrong on that part but still he did discover a valid flaw in facebook's iron clad security.
I submitted a bug to Facebook's whitehat disclosure 3 or 4 months ago. Got no response whatsoever, except an automated response. The bug still exists. The bug allows users to post as though they are other users on the timeline. I think that is pretty serious, but I guess they do not.
I don't think you guys understand. You can't publicly use the exploit and then back away and use the white hat system after the fact. It clearly shows him spamming some profile before even making the first contact.
Edit: It was a tame music video. On the spectrum of demonstrating to a test account all the way through to selling his discovered flaw to actual spammers, I rate this at the low end.
The point is not to individually judge the harmful effects of using an exploit publicly. That would be absurd. You have no right to say that the video posted on the girl's facebook wall was not a big deal. And I have no right to say that it was a big deal. The only sensible thing is to disallow any public usage of exploits whatsoever.
My guess is he thought starting by explaining that he has a CS education would make them less likely to assume his comment was from an ignorant foreigner.
So Facebook refuses to pay this guy? So now this white hat hacker will next time, sell the hack and make a lot more money... Way to go Facebook, you've fucked up again.
What a terrible way to report a vulnerability. In no emails did Khalil clearly demonstrate how to reproduce it despite giving "repro steps" which weren't reproduction steps at all. I understand there is a language barrier but that's just pathetic.
Of course in hindsight they should have been more diligent, but how many reports do they receive per day? But I see no excuse for not paying the guy for finding a serious flaw in their system, especially dismissing it on 'TOS' grounds.
In my opinion good faith should be taken into consideration here. It sounds like he didn't understand the TOS as it was not in his native language. This didn't hurt facebook at all and saved them a lot of trouble. I don't get why they don't just pay up and say thank you. As well as giving him a copy of the TOS in Arabic to avoid future misunderstandings.
> I found an exploit, here's proof, but I'm having difficulty conveying information due to linguistic barriers.
> Nope that's not a bug.
What did you expect him to do? Learn English on the fly? Conveying specific technical things is a difficult skill to learn even for native English speakers.
Sure his communication isn't the best, but neither is "I can't click that link" nor "This isn't a bug."
Long time ago a friend and me once submitted a whitehat bug that allowed the user to send messages to anyone even if they disabled messages from non-friends, i don't think this option still exists but anyways Facebook told us this wasn't a bug, we didn't even argue, suckers! i now wish i did the Same as Khalil and recorded the bug.
Well, if you have the email, just reply to it and re-open the conversation and see what happens. If you can explain it correctly, they might be able to research if the bug indeed existed and was fixed. I did a follow up on a bug that I submitted before the whitehat program was in place and that I never got a response on. They looked up the bug, replied to me and paid me. Very diligent.
I had helped a friend report a security vulnerability to Facebook. It was similar in the sense that it allowed anyone who knew 2 Facebook usernames (easy to do) to post a private message to someone that would appear to come from a friend. You didn't even need to be authenticated on Facebook to do it and could do post it from any machine on the Internet.
At first Facebook was similarly dismissive that it wasn't a bug. My friend pushed a bit to convince them with additional details and examples of how it could be easily used for exploits. They finally saw the light. The bug was fixed and my friend got paid $1K which wasn't much for the bug's seriousness. In any case it got fixed and my friend got acknowledged so it's OK.
It's a bit of a pity, thought, that they didn't see it to be serious at first. I would have expected any mediocre engineer to skip a hearth beat when learning of such a bug in their system.
He could have made test accounts with appropriate privacy settings. He could have just told the security team, "Your server does not validate permissions when posting to walls, so if you change this specific HTML form value to anyone else's profile ID, it will post to their wall."
It's pretty freaking obvious there was a language barrier problem here. He knew of the whitehat program, but not the ability within it to create test accounts: he asks the security team to set up a test account so he can post to it to show them the problem.
Shitty move from facebook, because 1°) this is a major security issue, 2°) could have done a lot of damages, 3°) who coded this in the first place, seriously?
One on of my issues with FB is that its not easy to report a problem or get any kind of support (although its a free service). In one day, I lost over 100 facebook friends with no explanation. Its obviously a little humiliating to have everyone think you defriended them. I hadn't seen the issue before, nor could I report it anywhere..
If I was this guy, I would rather say screw it than trying to get attention by posting to Mark's wall. Given the recent cases in the USA (e.g. he used wget!!!), Facebook could give a massive slap and sue him. And probably win.
To all the commenters that think Facebook should pay this guy: he became "the guy who hacked Mark Zuckerberg ON Facebook" overnight. I guess that this will probably open some doors for him, and if not, he's still become famous. :)
Maybe Mark should just hire the guy to replace the initial bug responder.
taking into account fogginess of emails of the researcher and amount of emails FB whitehat receives daily... I am not surprised they said it's not a bug.
PROTIP: Reports should have PoC and be concise. No information about your bachelor degree should be attached.
Lets hope that OP doesn't have anymore security vulnerabilities in hand because if he do, FB will pay the price of not paying him for the first time :)
Well, since you seem to have a top comment there - you don't see an error in the way the initial security responses were? Why didn't they guide him into providing the information they needed, to ask him specifically? Or point him out to the whitehat program, etc? They have no responsibility there - is that what you're implying?
Unfortunate situation, but I suspect that the overwhelming majority of HN would have dismissed this out of hand (though it is perfect hindsight to now say they should have worked harder, etc). It reads like minimal-effort ramblings.
