Khalil Shreateh, a Palestinian ‘white hat’ hacker, found a vulnerability in Facebook’s security system and posted it to the social networking site’s security team twice. The security team refused to acknowledge the issue saying ‘this is not a bug’.
However, much to the surprise of the ‘harmless’ hacker and the entire world when the issue was posted on Facebook founder Mark Zuckerberg’s timeline by hacking into his account, the non-bug issue suddenly became a major bug and Shreateh’s Facebook account was suspended.
According to Shreateh’s finding, the vulnerability allows a Facebook user to post on another Facebook user’s timeline even if they are not Facebook friends.
The Palestinian ‘white hat’ hacker first hacked into the timeline of a girl called Sarah Goodin and posted on her timeline despite not being in her friendlist. Sarah, apparently, was in college with the Facebook founder.
Shreateh posted the issue to the Facebook security team just to get an answer “I don’t see anything when I click the link except an error”.
The hacker posted the same issue for the second time providing the security team with more details. This time the reply becomes little blunt saying, “I am sorry this is not a bug.”
It’s not like Shreateh didn’t try to bring the issue properly to the Facebook privacy team. He also posted the issue on Facebook’s security page too. This time the hacker was polite but at the same time he put his discovery in strong word.
As the hacker is not a native English speaker and much familiar with the way security issue should be reported, he asked the security team to “make a test account” to demonstrate the issue. He also showed his concerns about the site’s policies saying, “I can post to Mark wall either but I will not cause I do respect people privacy (sic).”
Shreateh, no doubt, violated the security terms of the website by testing the security flaw on a live account. However, isn’t Facebook equally responsible for ignoring a security issue until it was targeted at the company’s CEO?
The hacker couldn’t get any money from Facebook’s bug-bounty program because of the violation, but instead of asking for more details, the security team shrugged his claims by not acknowledging the issue.
There is a big debate going on in the cyber space with some security experts blaming the hacker and some targeting the social networking site for its ‘double standards’.
“They liken their 1 billion users to that of a nation, yet are sorely under-invested in their national security. Having sufficient resources to address security concerns would likely have resulted in a more positive outcome,” Chester Wisniewski, senior security advisor at Sophos was quoted by eweek as saying.
Talking about the issue, Facebook security engineer, Matt Jones said, “OK – so I work on a security team at Facebook and sometimes help with reviewing Whitehat reports. To be clear, we fixed this bug on Thursday. The OP is correct that we should have asked for additional repro instructions after his initial report. Unfortunately, all he submitted was a link to the post he’d already made (on a real account whose consent he did not have – violating our ToS and responsible disclosure policy), saying that ‘the bug allow Facebook users to share links to other Facebook users’. Had he included the video initially, we would have caught this much more quickly.”
On the language and communication gap he said, “For background, as a few other commenters (sic) have pointed out, we get hundreds of reports every day. Many of our best reports come from people whose English isn’t great – though this can be challenging, it’s something we work with just fine and we have paid out over $1 million to hundreds of reporters. However, many of the reports we get are nonsense or misguided.”