Facebook ignores security bug discovery, man takes to Zuckerberg's timeline to prove point (VIDEO)
Posted by: Jon Ben-Mayor on 08/18/2013 07:34 AM [ Comments ]
If you recall we posted a story about the Facebook 'Bug Bounty' that promised monetary rewards to people who discovered bugs in order to keep users safe. Well it seems that Facebook is trying to renege on that promise, claiming that the discoverer of a bug violated the Terms of Service.
Khalil Shreateh who says the he has a B.A degree in Information Systems claims to have discovered a vulnerability that lets anyone post a link to other Facebook walls.
According to The Verge, Shreateh says he reported the bug to Facebook recently, but instead of taking him seriously he claims the company ignored the problem and decided it wasn't a bug.
In a lengthy blog post outlining the timeline of events, Shreateh says he tested the vulnerability on Sarah Goodin — a friend of Facebook CEO Mark Zuckerberg, and the first woman to sign up to the service — before reporting it through Facebook's whitehat disclosure service for security researchers. The whitehat service rewards researchers with at least $500 for successful bugs.
In a copy of an email sent to Facebook, Shreateh explains the details and notes that the security team might not be able to see his test post as Goodin restricts posts to only her friends. Despite attaching a screenshot of the post, a Facebook security engineer, identified only as Emrakul, replied saying "I am sorry this is not a bug," without asking for additional information.
Unperturbed by the response, Shreateh decided to notify Mark Zuckerberg himself by posting to his timeline. Minutes later, Facebook security engineer Ola Okelola contacted Shreateh requesting details on the exploit. Facebook disabled his account, presumably fearing a wider security breach. Shreateh's account has now been re-enabled, but the company claims his original report "did not have enough technical information" for them to take action. In an email to Shreateh, a Facebook security engineer — identified as Joshua — claims the company is "not able to pay you for this vulnerability because your actions violated our Terms of Service."
According to The Verge, Shreateh says he reported the bug to Facebook recently, but instead of taking him seriously he claims the company ignored the problem and decided it wasn't a bug.
In a lengthy blog post outlining the timeline of events, Shreateh says he tested the vulnerability on Sarah Goodin — a friend of Facebook CEO Mark Zuckerberg, and the first woman to sign up to the service — before reporting it through Facebook's whitehat disclosure service for security researchers. The whitehat service rewards researchers with at least $500 for successful bugs.
In a copy of an email sent to Facebook, Shreateh explains the details and notes that the security team might not be able to see his test post as Goodin restricts posts to only her friends. Despite attaching a screenshot of the post, a Facebook security engineer, identified only as Emrakul, replied saying "I am sorry this is not a bug," without asking for additional information.
Unperturbed by the response, Shreateh decided to notify Mark Zuckerberg himself by posting to his timeline. Minutes later, Facebook security engineer Ola Okelola contacted Shreateh requesting details on the exploit. Facebook disabled his account, presumably fearing a wider security breach. Shreateh's account has now been re-enabled, but the company claims his original report "did not have enough technical information" for them to take action. In an email to Shreateh, a Facebook security engineer — identified as Joshua — claims the company is "not able to pay you for this vulnerability because your actions violated our Terms of Service."
Comments