Summary: A Palestinian IT
Security Researcher Khalil Shreateh discovered a Facebook bug that allowed a
hacker to post on anyone’s wall — even if they weren’t that person’s friend. Khalil
has had his account disabled and been told he won't be paid a bug bounty after
demonstrating a Facebook security vulnerability by posting an image into Mark
Zuckerburg's timeline.
On blog post, Khalil
Shreateh discovered a vulnerability that allows an attacker to post images into
someone else's timeline, even though they're not in the target's friend list.
Khalil tried to report the problem to Facebook's security account twice via the
company's bug-disclosure and bounty program. The first time, Facebook security
representative "Emrakul" couldn't see the results of Khalil's work –
presumably because Emrakul wasn't actually friends with the person who Shreateh
used as a proof-of-concept for the loophole. The second time around, Emrakul
told Shreateh that his findings were "not a bug." Khalil, who doesn't
appear to keen on taking "no" for an answer, did the next logical
step: Used his loophole to post directly on Zuck's wall, likely hoping to stir
the pot a bit and get a stronger acknowledgement of his findings.
Facebook software engineer
Matt Jones took to Hacker News to offer a bit of an explanation behind
Facebook's response and why Shreateh is out his minimum reward of $500 for the
finding.
“To be clear, we fixed this
bug on Thursday. The OP is correct that we should have asked for additional
repro instructions after his initial report. Unfortunately, all he submitted
was a link to the post he'd already made (on a real account whose consent he
did not have - violating our ToS and responsible disclosure policy), saying
that "the bug allow facebook users to share links to other facebook
users". Had he included the video initially, we would have caught this
much more quickly,” Jones
wrote.
Source: facebook
vulnerability 2013
No comments:
Post a Comment