back to article Bug-finder chucked for posting to Zuck

A Palestinian IT graduate has had his account disabled and been told he won't be paid a bug bounty after demonstrating a Facebook security vulnerability by posting an image into Mark Zuckerburg's timeline. As explained in this blog post, Khalil Shreateh discovered a vulnerability that allows an attacker to post images into …

COMMENTS

This topic is closed for new posts.
  1. DarrDarr

    Sounds like just another reason to avoid facebork at all costs.

    1. g e
      Happy

      Facebork

      I shall be adding that into rotation with Farcebook, Failbook and Farmbook.

      ;oD

      1. Robert Ramsay
        Thumb Up

        Re: Facebork

        I prefer Fritter and Wastebook...

        http://thecaptainbritainblog.wordpress.com/2013/08/14/bonus-post-captain-britain-trash-talks-the-internet-in-avengers-arena-13/

      2. Anonymous Coward
        Anonymous Coward

        Re: Facebork

        Farcebook

  2. Black Rat

    Pay the guy!

    What we appear to have here is a simple failure to communicate not malicious intent, pay the guy!

    1. stizzleswick

      Re: Pay the guy!

      And re-instate his account, of course.

      1. Khaptain Silver badge
        Boffin

        Re: Pay the guy!

        "And re-instate his account, of course."

        He is far better of without it.....

        1. Yet Another Anonymous coward Silver badge

          Re: Pay the guy!

          Isn't this actually stupid enough to feature on the "Evil Overlord List"?

          101: If a minion points out an obvious flaw in my plan which would allow an enemy into my inner sanctum i will listen to him and not have him shot for his impertinence.

  3. Roger Stenning
    Facepalm

    ...and here we se the "Head In The Sand" approach to system security...

    ...is it any wonder that I refuse to sign up to FaceBook?

    D'OH... well, because!

    1. NomNomNom

      Re: ...and here we se the "Head In The Sand" approach to system security...

      If you were on Facebook you could have added that message to your timeline and your Friends could have Liked it. But you are not on Facebook so this did not occur.

      Why you not on facebook? You are an inexplicable mystery conundrum.

      1. Captain Save-a-ho
        Pint

        Re: ...and here we se the "Head In The Sand" approach to system security...

        Probably because he's already seen all the mindless drivel most people post on Facebook and all of his friends prefer to meet at the pub instead for a pint. Or not.

        1. Roger Stenning
          Pint

          Re: ...and here we se the "Head In The Sand" approach to system security...

          Spot on target ;-)

        2. Jamie Jones Silver badge
          Happy

          Re: ...and here we se the "Head In The Sand" approach to system security...

          " Probably because he's already seen all the mindless drivel most people post on Facebook"

          Surely that just shows the quality of your friends!

        3. Tim Parker

          Re: ...and here we se the "Head In The Sand" approach to system security...

          "Probably because he's already seen all the mindless drivel most people post on Facebook and all of his friends prefer to meet at the pub instead for a pint. Or not."

          There's the possibility that there's been an irony failure here - especially considering his second post. Or not.

          1. Jonathan Richards 1
            Go

            Re: ...and here we se the "Head In The Sand" approach to system security...

            Not an irony failure, exactly. Picture the scene - Nom stands in the shallows of the digital river in his Waders of Anonymity and ties a "poor english Facebooker freind"* to his line. Casting it lightly above the swirling Reg forums, he skillfully lures the Lesser Commentard to the surface. Occasionally one will froth and writhe for his amusement, and for that of onlooking admirers.

            A pint behind the bar for Friday, Nom.

            *Yes, sic. There's a bonus for somebody being lured into using Jimmy Edwards.

      2. Roger Stenning

        Re: ...and here we se the "Head In The Sand" approach to system security...

        Better a mystery, than having all my persona details sprayed out for all to see and abuse. Let's face it, FaceBook's approach to information security has not, historically, been anything to proudly shout about, has it?

      3. Anonymous Coward
        Anonymous Coward

        Re: ...and here we se the "Head In The Sand" approach to system security...

        Instead of those of us NOT on Facebook or Twitter explaining why we are not signed up, perhaps you could explain the top 10 compelling reasons why we should be on it/them?

        Please note that saying that I can communicate with friends is not good enough. Most of my friends are not on them either (but for different reasons to me)

        1. ratfox
          Pint

          Re: ...and here we se the "Head In The Sand" approach to system security...

          I joined at the time to participate to a discussion/group/whatchamacallit.

          But indeed, the most important attraction is to read what is happening to your friends, assuming what they write is not "had a donut today" and rather "will be in NY next week-end, anybody there up for a drink?"

          1. NomNomNom

            Re: ...and here we se the "Head In The Sand" approach to system security...

            I have two Facebooks accounts so I have double friends. You have no Facebook account so you have no friends. Why you not want friends? That is strange minded. I will be your friend. Why not follow me on Twitter?

        2. Salts

          Re: ...and here we se the "Head In The Sand" approach to system security...

          I'll second that request, what are the top 10 reasons for using facebook?

          1. Steve 13
            WTF?

            Re: ...and here we se the "Head In The Sand" approach to system security...

            Surely 1 good reason to use facebook would be enough of a reason to use it.

            Nobody claims that email is secure, but you use that (I guess), and I doubt that anyone can list 10 reasons to use email without some of those reasons being subsets of a reason already listed.

            There are reasons to not post too much personal information on facebook, and I certainly don't care if you don't want to use it, nor do I want to convince you to use it. But the inverse IT snobbery being demonstrated by a lot of posters is a little bit ironic IMO.

            1. Salts

              Re: ...and here we se the "Head In The Sand" approach to system security...

              OK one good reason then, no inverted IT snobbery here. I have tried FB but I still find no reason to use it that is worth the effort, I often wonder if I am missing something important.

            2. Anonymous Coward
              Anonymous Coward

              Re: ...and here we se the "Head In The Sand" approach to system security...

              Steve 13 > Surely 1 good reason to use facebook would be enough of a reason to use it.

              The best reason for using Farcebook is that I don't use it.

        3. Bill B
          Thumb Up

          Re: ...and here we se the "Head In The Sand" approach to system security...

          I don't have 10 top reasons for being on facebook and I admit my use of it is only applicable to myself, but here goes.

          I have family scattered across the States, Canada, New Zealand, Australia and Italy. I have an equally scattered circle of friends. I use Facebook to keep in contact with all of them, share what we're doing, family pics and news. Before Facebook we used email with a BIG circulation list.

          Security is set to Friends (sometimes 'Friends of Friends') but specifically family stuff is limited to a Facebook group.

          I don't tend to 'friend' people I'm in everyday contact with because .. well .. I see them everyday. But Facebook has been a really good medium for maintaining contact with distant family and friends.

          Facebook isn't for everyone. On the other hand, there are some things it does well, which is, I assume, why it survives. If you have an alternative method of keeping in touch then sure, let me know.

          1. Anonymous Coward
            Anonymous Coward

            Re: ...and here we se the "Head In The Sand" approach to system security...

            Well, there is the telephone or writing a letter.....

        4. nanchatte
          FAIL

          Re: ...and here we se the "Head In The Sand" approach to system security...

          Why do I have to give 10 compelling reasons to YOU? As with most free(mium) services, if you're sensible about using it and apply it correctly, it's a nice free tool that can generate income.

          I have two Facebook accounts... one to keep in the loop with friends and family back in England and another for my business. Many of my customers in Japan use Facebook. In fact, I'd go as far to say that Facebook is rampant among certain (my target) demographic. My income has increased about 300 pounds a month since I started my Facebook page just three months ago and customers are increasing steadily, TYVM. That buys a lot of Friday night beer at the pub.... Yes, Facebook and beer are NOT mutually exclusive.

      4. Vociferous

        Re: ...and here we se the "Head In The Sand" approach to system security...

        <NomNomNom buried 15 levels deep>

        Good lord, commentards truly are sarcasm-impaired.

  4. Shannon Jacobs

    OTHER is NOT an option for security

    Does reply post this count as an open letter to Facebook? I also tried to report some problems to Facebook via the official Facebook channels. I don't think they were listening, and anyone who trusts Facebook with ANY sensitive data is a gigantic fool

    Hey, let's try persuading the black hat hackers that they have to play by the rules! Isn't that a brilliant idea?

    Listen here, you morons of Facebook:

    The essential nature of security threats is that you do NOT know what they are in advance--or you would have blocked them already and they would NOT exist as security threats. Sometimes that means the reporting mechanism may not be suitable for accepting the information. You ALWAYS need an OTHER channel. Shooting the messenger for YOUR incompetence is NOT a solution.

    In conclusion, I do NOT trust Facebook at all. However, I don't think they are yet as EVIL as the google has become. It's just that the amazing incompetence of Facebook combined with the sensitive personal data makes Facebook much more dangerous.

    1. Anonymous Coward
      Anonymous Coward

      Re: OTHER is NOT an option for security

      In conclusion, I do NOT trust Facebook at all. However, I don't think they are yet as EVIL as the google has become.

      THE Google? :). I disagree, evil through malice or evil through ignorance is still evil. I'm not defending Google (I agree with your original statement), but it must be observed that FB started with a hack, whereas Google started with a product that people actually wanted (search) because it was indeed far better than the competition. FB is basically large scale social engineering.

      1. Dan 55 Silver badge
        Alien

        Re: OTHER is NOT an option for security

        The Google is appropriate, it has the same ring about it as The Borg.

    2. Solmyr ibn Wali Barad

      Re: OTHER is NOT an option for security

      They tried to handle matters as a typical $BIGCORP. There is an official process for reporting problems - and like most official processes, nearly impossible to use in practice.

      But there is a difference, though. They have Zuck. He is quite able to go nuclear on this "process".

  5. rcorrect
    Thumb Up

    Thanks for the information!

    Now sit and spin!

  6. jake Silver badge

    ::teehee::

    Kids these days ... no concept of hardware-up security.

    No idea of wetware-down security, either.

    The entire so-called "social" networking thing is a major accident waiting to happen.

    EOF

  7. Anonymous Coward
    Unhappy

    Person helps to improve Facebook in non-disruptive manner....

    Person gets account suspended.

    Makes sense to me! (Yes, that was sarcasm)

  8. Chairo
    Facepalm

    WTF?

    since Facebook's team wasn't friends with the target account he used to demonstrate the bug, they could not see the links he provided

    Facebook's quality team is not able to see all Facebook postings? There is no one with admin rights that could check some bug report out?

    Is this a sign of incompetence or just laziness?

    1. Robert Helpmann??
      Childcatcher

      Re: WTF?

      Is this a sign of incompetence or just laziness?

      No, it's plain, old-fashioned BS.

  9. Anonymous Coward
    Anonymous Coward

    Instead of saying "facebook is evil, i never went there, aren't i a clever OLD bofh"..

    Why don't the comments here show a little sense and perhaps suggest that the terms of the facebook bounty are contradictory to the ToS and therefore constitute and unfair contract in the eyes of UK law anyway.

    If i was him, i would now be exploiting this to post all sorts of sh*t all over facebook.

    If they want to c*nts about paying him, he should show them the value of report and what the exploit could do if in the wild.

    They are only slapping him down because anyone who is sheep enough to report a problem to facebook and expect them to care is a fool.

    All big US corporations (led by apple) have nothing but contempt for their customers when comes to treating them like humans, so any fan-bois is already a brain washed idiot that the company can treat badly.

    1. jake Silver badge

      Re: Instead of saying "facebook is evil, i never went there, aren't i a clever OLD bofh"..

      "All big US corporations (led by apple)"

      ::snort::

      Apple leads in marketing, not technology.

    2. Anonymous Coward
      Anonymous Coward

      Re: Instead of saying "facebook is evil, i never went there, aren't i a clever OLD bofh"..

      If i was him, i would now be exploiting this to post all sorts of sh*t all over facebook.

      If they want to c*nts about paying him, he should show them the value of report and what the exploit could do if in the wild.

      The first was a warning of a vulnerability, which is acceptable in most jurisdictions. What you are proposing would amount to breaking the law. IF FB want to be cheap bastards, fine, but I think the guy would be smart not to do anything criminal. The facts are out there now, no doubt others will start doing this already until FB fixes the problem.

      Oh, and yes, I agree with most people that FB's response was exceptionally lame and appears more aimed at not having to pay out the bounty. Translated: any further vulnerabilities will no longer be reported. Well done, morons.

      1. Mystic Megabyte
        Unhappy

        Re: Instead of saying "facebook is evil, i never went there, aren't i a clever OLD bofh"..

        >>Translated: any further vulnerabilities will no longer be reported. Well done, morons.

        Facebook is a vulnerability!

  10. Pax

    Maybe FB's 'bug' was the same method by which they decided to post ads and other advertising commentary into your stream.

    Now they need to find another method to violate you....

  11. Thunderbird 2

    Next Time

    Farcebook just escalated things.

    Next time a bugfinder finds a bug they wont report it until they have a second and more deadly bug with which to backhand volley the "we wont pay the bounty/we will suspend your account" attitude. The backhand volley being publically reported in as many forums as possible and resulting in complete pawnage / outage.

    Will Zuck fire the security teams, or the people that didnt authorise bounty payment

  12. volsano

    Bugs, features and no-nos

    Odd. He had been specifically advised by facebook that the behaviour was not a bug.

    So he used the behaviour exactly as facebook knew it could be used.

    They then went all TOSsy with his ass, told him that Terms of Service trumps Security Team.

    Tells us all we really need to know about facebook's technical priorities.

    1. Anonymous Coward
      Anonymous Coward

      Re: Bugs, features and no-nos

      "He had been specifically advised by facebook that the behaviour was not a bug."

      This seems to be a standard modus operandi with FB's Security Team. <SARCASM>It's a "feature" not a bug... sound familiar?</SARCASM>

      I reported something fairly recently which as it turned out had been highlighted years previously (https://www.quora.com/Facebook-1/Are-Facebook-pictures-really-private-and-are-they-hosted-on-Facebook-servers). All your photos posted to Facebook or Facebook chats are stored directly on Akamai servers without any authentication. So any Privacy settings you apply to those items mean sweet bugger all as you can copy the URL to that image and send it to all and sundry to view without them having to log in to Facebook and be constrained by any controls you have placed on the pictures (including setting the permission to "Just Me"). This is something Facebook Security do not view as a problem and thus will not change. Object storage security in the cloud (for me at least) is a basic requirement.

      Yes, it doesn't stop people permissioned to see it from saving it and distributing it (which is FB's Security's excuse as to why they won't fix it). I do see that as a valid possibility, but for them to not bother with securing your attachments in the "cloud" makes you think what other corners are they cutting? I did ask the question as to why the Privacy controls exist on the pictures in the first place if it can be bypassed this way - no response to that question.

      Not that I advocate this in anyway but it sounds like a very plausible possibility for a trojan to harvest out URLs of pictures posted by FB users to be then used for nefarious / bribing purposes at a later date. This was an idea floated to FB Security but was dismissed given that a trojan compromise would effectively "own" the computer. Fair point, but knock up some malicious Javascript and that would do it.

      Regarding corner cutting, there's one other issue I've reported but we are still discussing the merits of it so cannot talk about it here. Whilst low risk, it's quite basic that I am surprised this wasn't caught earlier.

      Yes, the URLs of pictures uploaded to Facebook (for now) are (potentially) random enough to prevent enumeration of photos posted by folks but security through obscurity is never a good approach and doesn't mean it won't be broken in the future.

      The fix? Well, authenticate all photo URLs back to FB and honour the Privacy settings. But I think someone has made an engineering decision that this would be quite expensive from an implementation point of view to have Akamai's offering linked in with FB's authentication / privacy system.

  13. Roo

    Mindless retaliation.

    He was contacted by Facebook's security goon *after* he defaced Zuck's timeline, clearly it wasn't an issue that he broke the ToS when he tried to demo the bug with a friends account, therefore I suspect his account was suspended due to Zuck taking his account defacement personally.

    Poor show from the goons in the first place though, if they couldn't validate the exploit because they couldn't access the demo account they should have created one they did have access to and told him to test against that instead.

  14. Jon Green
    Facepalm

    What did he expect?

    Attacking the Facebook CEO's page? That was never going to end well.

    In his blog, he says, "i has [sic] no choice than to post to Mark Zuckerberg's timeline". This is far from true. If he wanted to demonstrate it, he should have created a new FB account, and used that to post images into the timeline of his own home page, or onto that of someone high-profile with whom he'd agreed the stunt.

    1. Dan 55 Silver badge
      Facepalm

      Re: What did he expect?

      The article says he did, but Facebook´s security team were unable to use their own privacy controls.

      Icon's for Facebook's security team.

      1. Jon Green

        Re: What did he expect?

        @Dan He didn't create another account, and it's by no means clear that his original demonstration was with consent.

        If you read his blog post, from which I drew the quote, you'll see that he posted to the timeline of someone who was (or is) at the same college as Zuckerberg attended. Whether or not with her permission is unclear, but, since he wasn't in her friends list, it's not unreasonable to suspect it was not.

        The only responsible way to demonstrate a vuln like this is to use two mutually-unfriended accounts, both under the control of the tester. Far from being the only recourse left to him, posting to Zuckerberg's timeline was a publicity stunt by Shreateh, and someone with an IT degree ought to have the security nous to realise that it was inevitably going to backfire.

        1. Sir Runcible Spoon
          Happy

          Re: What did he expect?

          "it was inevitably going to backfire"

          Hmm, so he doesn't get paid, but does garnish some notoriety. Tricky call, time will tell.

          As for having his account revoked, I would consider his overall position to be 'up'.

    2. Benjol

      Re: What did he expect?

      Wouldn't creating a second account also be a violation of ToS?

  15. Another User

    Khalil Shreateh is back

    His timeline says he joined facebook 30 min. ago.

    Not sure though if he can enjoy a beer.

  16. Potemkine Silver badge

    Parodiating El Reg...

    "You won't get the bounty.... bitch."

  17. Anonymous Coward
    Anonymous Coward

    They should consider themselves lucky that he didn't sell it to malware distributors or "financial terrorists" after being ignored the first time - let me put it this way, if someone had a bot net set up to blast unpleasant things all over facebook, invade privacy and compromise user's machines, what would it have done to their share price?

    Now, will the next person who is ignored persist in trying to get his(or her) $500, of might they take the less ethical route, in light of this researcher's experience?

  18. Version 1.0 Silver badge

    Terrorism

    Wait 'till he tries to enter the USA in a couple of years - it's cavity searches for you m' boy.

  19. Anonymous Coward
    Anonymous Coward

    $$$$$

    Of course Zuckerborg found an excuse to wriggle out of paying up.

    You didn't really think he became so rich by being fair and honest, did you ?

This topic is closed for new posts.

Other stories you might like