A member of Facebook’s security team acknowledged over the weekend that the group could have taken further steps to verify a vulnerability initially brought to their attention by an independent security researcher last week but that the company largely adhered to its bug disclosure policy.
That flaw, discovered by Palestinian independent security researcher Khalil Shreateh, allowed him to post to any user’s Facebook wall, regardless of whether the users was his friend. Shreateh emailed Facebook’s security team after finding the flaw last week but failed to fully get the team’s attention.
Shreateh went on to use the bug to post a message on the wall of Facebook CEO Mark Zuckerberg to prove its validity.
“Dear Mark Zuckerberg, First sorry for breaking your privacy and post to your wall, I has no other choice to make after all the reports I sent to Facebook team,” read the post, which has since been removed.
Facebook security team member Matt Jones took to Y Combinator’s Hacker News site yesterday explaining that in essence both parties could’ve handled the situation better.
Jones acknowledged that the Facebook team should’ve asked Shreateh for additional bug reproduction techniques during their exchange. Shreateh included a video on his blog post that further broke the vulnerability down – but apparently failed to include that in his first email to Facebook.
“We should have pushed back asking for more details here,” Jones wrote on Hacker news, later suggesting that while Shreateh’s English wasn’t great, it wasn’t an obstacle and but a challenge the security team is used to dealing with.
According to his blog post, Shreateh initially demonstrated his vulnerability by posting an Enrique Iglesias music video on a friend of Mark Zuckerberg, Sarah Goodin’s wall. Shreateh had hoped his actions would get Facebook’s attention but instead the security team wrote back saying it simply wasn’t a bug.
It was after this that Shreateh moved onto Zuckerberg’s account, which wound up being one of the mistakes he’d make.
“Exploiting bugs to impact real users is not acceptable behavior for a white hat,” Jones wrote, adding that the way Shreateh reported the bug disqualified him from receiving some sort of payout for it.
As part of Facebook’s bug bounty disclosure policy, the company urges users to “make a good faith effort to avoid privacy violations,” to use a test account while investigating vulnerabilities and to “not interact with other accounts without the consent of their owners,” none of which Shreateh did, according to Jones.
“We welcome and will pay out for future reports from him (and anyone else!) if they’re found and demonstrated within these guidelines,” Jones added at the end of his post.
Facebook first launched its bug bounty program back in 2011 and in the last two years the social networking giant has paid out more than $1 million to more than 329 researchers. Researchers from UC Berkeley found earlier this year that bug bounty programs, at least with Google and Mozilla, can be as much as 100 times more cost-effective for finding security vulnerabilities.
If Shreateh had used a dummy account and better explained the vulnerability, this may have been more quietly addressed. Staying away from Zuckerberg’s account probably would’ve helped too – as Shreateh reports that his post got his account disabled – although eventually re-enabled – shortly after.
The issue brings to mind a story from earlier this year where PayPal refused to pay a bug bounty to 17-year old researcher Robert Kugler after he discovered a cross-site scripting (XSS) flaw in the popular e-commerce site. While there was a fair bit of confusion at first why PayPal rejected the bug, the company ultimately acknowledged that Kugler didn’t qualify for an award because he wasn’t old enough to have a verified account on the site.
While it remains to be seen if companies will adopt a looser stance towards how they accommodate security researchers going forward, in this case it looks as if Facebook is sticking to their guns, adamant that Shreateh didn’t follow the rules.