Earlier this week, security researcher discovered a bug Khalil Shreateh Facebook allows to place on the wall of a person a hacker - even if they were friends of that person.
While he was able to prove to Facebook that his statement was legit (despite an initial response that was a mistake at all), Facebook was not happy with the way I did: with error published in different Zuckerberg just friends wall.
Security research can be a very difficult balancing act. If you breach the terms of the officers of the company to a T, you could be robbing yourself of their fair share of recognition and, if the company is one of the many rewards of errors provides a chunk of money in effective . Unfortunately, the exploitation of their way to Zuck timeline ... not exactly meet the reporting rules of Facebook.
In his first report bugs, Khalil showed he is capable of writing on someone's wall by presenting a link to a post I made (in the wall of a friend Sarah Goodin Zuck University of wax, and the first woman on Facebook.)
Unfortunately, the security team member of Facebook, click on the link that was no friend of Goodin, whose wall was set to be visible to just friends. Therefore they could not see the post of Khalil. (While Facebook certainly Security privacy settings can overwrite anything posted on the site, which did not seem to do and see here)
"I see nothing when I click on the link with the exception of a mistake," replied the Facebook security team.
Khalil failure refers to the same subject, explaining that no one examines the link should either friends with Goodin, or should "use [his] own authority" to see the message.
"I regret that this is not a mistake," replied the same member of the security team, apparently do not understand what happened.
Khalil responded by taking his show to the next level, and if not to convey, in one of the walls of friends Mark Zuckerberg's his point may post on the wall itself would Zuck?
On Thursday afternoon, Khalil posted a note on Zuckerberg timeline. "Sorry to break their isolation [message] to the wall," he said, "I [had] no choice after all the reports I sent to the Facebook team to make".
Within minutes, the engineers from Facebook comes to Khalil. He had made his point.
Through outreach programs whitehat Facebook exploits, security researchers are paid at least $ 500 for each critical error report responsibly. $ 500 is just the minimum - the size of pay increases with the severity of the error, with no limit.
Unfortunately there would be points Khalil errors. Among other conditions, the disclosure policy failures Facebook requires that researchers use test accounts for research and reports, instead of the accounts of other Facebook users. By placing Zuck Goodin and walls, that the rules for the door had broken almost immediately. Their reports also not enough information about how to reproduce the error, says Facebook:
Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it. We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue. When you submit reports in the future, we ask you to please include enough detail to repeat your actions.We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site.
As Khalil first post on Friday, is a healthy debate about whether or not Facebook should pay you a reward. A, its rules of disclosure for (perhaps unconsciously - as many have noted, the Facebook terms of disclosure are only available in English, resembling the native Khalil are) broke and, secondly, it was apparently trying to reporting rather than to sell to spammers responsibly.
Even Facebook's own engineers in the debate. On Hacker News, Facebook Security Engineer Matt Jones made things as he saw them:
For background, as a few other commenters have pointed out, we get hundreds of reports every day. Many of our best reports come from people whose English isn’t great – though this can be challenging, it’s something we work with just fine and we have paid out over $1 million to hundreds of reporters. However, many of the reports we get are nonsense or misguided, and even those (if you enter a password then view-source, you can access the password! When you submit a password, it’s sent in the clear over HTTPS!) provide some modicum of reproduction instructions. We should have pushed back asking for more details here.However, the more important issue here is with how the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behavior for a white hat. We allow researchers to create test accounts here:https://www.facebook.com/whitehat/accounts/ to help facilitate responsible research and testing. In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent.
What do you say? If Facebook bending the rules and pay? Can you break the rules a dangerous precedent?
You can follow us on Twitter, add us to your circle on Google+ or like our Facebook page to stay updated on the latest news from Microsoft, Google, Apple and the web.
0 comments: