(click image for larger view)
Memo from Facebook to security researchers: Don’t hack the boss’s Facebook wall.
That’s the gist of the company’s response to Palestinian information security researcher Khalil Shreateh, who twice attempted to report a serious site vulnerability to the social network’s White Hat team, only to have Facebook dismiss his reports when they couldn’t be reproduced.
According to a blog post by Shreateh, the vulnerability, which he recently discovered, allowed him to post messages — including photos and links — to anyone’s Facebook wall. That included Facebook walls that would have been private, with access restricted to anyone who wasn’t “friends” with the accountholder.
Shreateh, who lists his occupation as being an unemployed information systems engineer, twice attempted to alert Facebook to the problem. He also included as a proof of concept a link to a private page to which he’d been able to post. The page belonged to Sarah Goodin, a close friend and former Harvard University classmate of Facebook CEO Mark Zuckerberg.
[ Hungry? Read Facebook Mobile Does Restaurant Reservations. ]
Both times, however, Facebook’s security team replied that that it couldn’t reproduce the problem. “Sorry this is not a bug,” read one such email to Shreateh. As the security researcher tried to make clear, however, the bug couldn’t be reproduced simply because Facebook’s security team didn’t have access rights to Goodin’s wall — they weren’t “friends” on the social network.
Frustrated, Shreateh looked for a way to demonstrate the vulnerability to Facebook, and chose to do so by posting an arbitrary message to Zuckerberg’s own wall. “Dear Mark Zuckerberg,” began Shreateh’s message. “Sorry for breaking your privacy and post (sic) to your wall, I has no other choice to make after all the reports I sent to Facebook team,” continued Shreateh, who sent the message from his own Facebook account.
Shreateh also demonstrated the exploit in a video he recorded late Wednesday and posted to YouTube.
Posting to Zuckerberg’s wall — and possibly also because Shreateh used Edward Snowden’s photograph as his profile image — triggered a rapid response. Just minutes later, a Facebook security engineer messaged Shreateh, requesting more details about the vulnerability. A few minutes after that, however, Facebook suspended Shreateh’s account.
In response to Shreateh requesting that his account be reactivated, Facebook said the suspension had been a precautionary measure. “When we discovered your activity we did not fully know what was happening. Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it,” wrote a member of Facebook’s security team. “We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue.”
Facebook also told Shreateh that his technique for illustrating the vulnerability had disqualified him from the company’s White Hat bug bounty program. “We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service,” wrote Facebook’s security team.
Indeed, Facebook’s “responsible disclosure policy” says that any payout is contingent on researchers not making any vulnerability details public until after the social network has put a fix in place. In return, Facebook agrees to — in effect — indemnify anyone who shares vulnerability information. “If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you,” according to Facebook’s policies.
Still, did the social network do the right thing with its handling of Shreateh? “I have to admit that I have some sympathy with Facebook on this issue,” said independent security researcher Graham Cluley on his blog. “Although he was frustrated by the response from Facebook’s security team, Shreateh did the wrong thing by using the flaw to post a message on Mark Zuckerberg’s wall.”
“Instead, he might have been wiser to go back (again) to Facebook’s Security team with more evidence of the flaw, explaining the problem more clearly and perhaps including more information as to its impact,” Cluley said. “If he was still not happy with their response, a technology journalist should perhaps have been his next port of call.”
Make sure your end users recognize and know how to avoid the latest Web-based attacks. Also in the new, all-digital 10 Web-Based Attacks Targeting Your End Users special issue of Dark Reading: Refresh often for effective security training. (Free registration required.)
Article source: http://www.informationweek.com/security/privacy/facebook-slaps-researcher-who-hacked-zuc/240160131