I had a similar but less-awful experience (fortunately as a renter rather than owner). Living in a similar slab house, I was surprised when my shower became slow to drain and draino had no effect. I called the plumber, he came by, and eventually told me he'd fixed the problems. Two days later, the drain backs up again.
Second plumber comes and is somewhat perplexed - he pulls up roots and suspects they've grown into the line. But it's drilled out and should work now. Two days later, the drain backs up again.
Third plumber comes out and goes in from the roof vent. After about an hour of rooting around, his snake pops up through the drain and starts whackkity-whacking around the shower. He's very surprised and a bit sheepish, and suggests there's a bigger problem and we should rip out the shower to have a look at what's under it. Doesn't pretend that he's fixed it. I'm using a different shower at this point.
Fourth plumber arrives to give a second (err, fourth) opinion and is similarly perplexed, saying we likely need to rip the shower up to fix things.
Fifth plumber agrees, and says he knows a guy who can do it.
Sixth plumber is actually not just a plumber, and arrives with a jackhammer, two buddies and a fancy proble that lets him follow where all the pipes go under the house (both with a camera in the pipe and a machine that follows where it goes physically). Scopes things out for a bit, and then goes to town on the other bathroom, eventually jackahammering and digging a roughly 5 foot cube out from under the bathroom.
It turns out when they redid things in the house 15 years ago, someone failed to actually connect the drain from the shower to the sewer, so it had just been draining into the ground. Whoops!
While they were down there, they ran a new sewer pipe out to the municipal line as well. This part was pretty cool. Rather than digging up the whole yard, they just ran a 1/2" steel cable through the old masonry pipe, hooked it to a solid steel cone, and pulled the cone through with a hydraulic winch, trailing some pvc behind it. As it went, it busted apart the old pipe and put a new one its place. All in all a pain in the ass, but neat to see how they approached things.
Aside: I also have and love Amica. They've covered a couple claims for me and have been very easy to work with.
> they ran a new sewer pipe out to the municipal line as well. This part was pretty cool. Rather than digging up the whole yard, they just ran a 1/2" steel cable through the old masonry pipe, hooked it to a solid steel cone, and pulled the cone through with a hydraulic winch, trailing some pvc behind it. As it went, it busted apart the old pipe and put a new one its place.
A month ago near Paris I have seen that method used to replace water mains along a whole street - very impressive !
I suspect flash is generally used to play sounds from chat messages - the https man-in-the-middle detection is heavily sampled, as referenced in https://www.linshunghuang.com/papers/mitm.pdf.
[I work at FB, but not on sounds or directly on https man-in-the-middle detection.]
Nope, without flash you still get the chat sound messages. I've no flash on my system and the only thing that's different on facebook is that I can't watch user-uploaded videos. Only their mobile site supports HTML5 last I checked.
It is still possible that they use flash as default audio source and fallback to HTML audio if flash is unavailable. Although of course it would be better if they could get rid of the flash altogether.
OK, I can think of a few ways they might do this (DNS tricks and per-user IPv6 addresses, <src ip, src port, dst ip, dst port> => user mapping). These all seem significantly more complex than HTTP header injection though.
So I can't speak for twitter, but I work on anti-spam at Facebook, and imagine the problems we face are relatively similar. It's worth noting that there's a constant barrage of people trying to send varying degrees of spam. It's not like there's An Attack all of a Sudden - just occasionally people close to the HN social network happen to be targeted by something and it's magnified by the media / hive mind local to us.
> shouldn't Twitter be able to pick these messages up automatically fairly fast
Theoretically, sure. As a human looking at an attack, it's usually pretty easy to pick out "obvious" attributes that they should have been able to catch. But when you're operating at a scale like us or Twitter, even stuff that looks like it's obviously-indicative-of-badness often has false-positives (posts flagged as spam that are not). The long tail of weird stuff that a billion users do can be pretty crazy.
At the same time, the "obvious" attributes of an attack are often very cheap for an attacker to change. Instead, we try to go after more expensive resources (domains, source IPs, etc).
> after (I assume) hundreds if not thousands of users have flagged them
Sadly, looking at flags of content is not a silver bullet. The signal is very sparse (a given spam post is rarely flagged), and nonspam posts are frequently flagged (religious and political speech are great examples - and they are the worst kind of false positive if you delete them as spam). These problems can be somewhat mitigated if you aggregate flags over a dimension that's expensive for the attacker (domain-posted, IP that posted the content, text shingles), but even then the recall isn't necessarily great and you could still catch e.g. controversial political domains.
> the spammers can't have unlimited IPs
True, though you can rent space on a botnet that has many, geographically-diverse, real-user IPs. Also, I imagine a significant chunk of posts to Twitter come from apps, many of which each use a single IP to post tons of content.
> Is there a reason the same techniques used in E-Mail aren't applicable to Twitter?
There's definitely some overlap. I'm not an expert at email anti-spam, but in general it's a relatively different problem. "Traditional" email spam is sent from some random email address on / via a compromised machine or open relay, and seems to be a relatively-well-solved. But it sounds like this twitter attack was caused by compromised accounts. At least anecdotally, it seems that email vendors are also not great at detecting this kind of attack. For example, my gmail account (with arguably the best spam protection in the industry?) gets a message every few weeks from some compromised friend's account. (i.e. someone had their email password stolen and the attacker is using it to "legitimately" send mail after authenticating to that email service with the correct password).
Could you not identify higher than normal viral scores and run some automatic checks on the links content to look for dodgy behavior (ie executing like / share links?) That would still end up with you being in a cat and mouse game of obscuring dodgyness but its a start.
Have you guys looked into sharing likelihoods of affected users? In other words I rarely share stuff I click on. If a higher than normal number of high view - low sharers like myself are sharing its either extremely popular or its spam. (Worth flagging for a manual check)
Yes, I admin a FB group with sockpuppeting spammers daily, and it took me a while to understand why the "report account" facility didn't offer a "spam" option.
Perhaps you can weight the flags of users. Like users who have flagged non-spam content in the past don't count, and people who have flagged lots of spam count more.
Yeah, we've played with that idea a bit. It doesn't help the sparseness problem (actually makes it worse), and if we took action as a direct result, it would give people the power to DoS content they disagree with.
For sites operating at a smaller scale, this could be a good way to surface content for manual review though.
Could you hire people just to review/flag stuff on a part-time basis, ala Mechanical Turk? Or is the problem just not big enough to warrant the time/money investment?
I imagine that while spam is annoying, it probably doesn't impact your bottom line in a big way.
I'm surprised more aren't mostly-white for the first 3/4, and then they split at the end. It seems like all the action in basketball always happens in the last 2 "minutes."
We (I'm another eng at FB) definitely hire interns who are not juniors in college. You can be younger or older (or you could be a junior - I did my internship here after junior year).
As I understand it you just need to be going back to school at the end of your internship.
Hey folks - I work on security at Facebook (though not specifically the Whitehat program) and just wanted to let you know we're looking into this right now.
OK - so I work on a security team at Facebook and sometimes help with reviewing Whitehat reports. To be clear, we fixed this bug on Thursday. The OP is correct that we should have asked for additional repro instructions after his initial report. Unfortunately, all he submitted was a link to the post he'd already made (on a real account whose consent he did not have - violating our ToS and responsible disclosure policy), saying that "the bug allow facebook users to share links to other facebook users". Had he included the video initially, we would have caught this much more quickly.
For background, as a few other commenters have pointed out, we get hundreds of reports every day. Many of our best reports come from people whose English isn't great - though this can be challenging, it's something we work with just fine and we have paid out over $1 million to hundreds of reporters. However, many of the reports we get are nonsense or misguided, and even those (if you enter a password then view-source, you can access the password! When you submit a password, it's sent in the clear over HTTPS!) provide some modicum of reproduction instructions. We should have pushed back asking for more details here.
However, the more important issue here is with how the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behavior for a white hat. We allow researchers to create test accounts here: https://www.facebook.com/whitehat/accounts/ to help facilitate responsible research and testing. In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent.
As you can see at https://www.facebook.com/whitehat, in order to qualify for a payout you must "make a good faith effort to avoid privacy violations" and "use a test account instead of a real account when investigating bugs. When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing. Do not interact with other accounts without the consent of their owners." Unfortunately, the OP did neither of those things. We welcome and will pay out for future reports from him (and anyone else!) if they're found and demonstrated within these guidelines.
"As you can see at https://www.facebook.com/whitehat, in order to qualify for a payout you must "make a good faith effort to avoid privacy violations" and "use a test account instead of a real account when investigating bugs."
I just looked at it, then switched Facebook to Arabic and the TOS is magically still in English (edit - and right aligned really badly as the page evidently expects arabic). If you demand that the TOS is followed by people who do not have English as a first language, try offering a translation.
This guy has done you all a service. The chances are that he may not have been able to clearly read the TOS that you wish him to abide by. He should get paid.
edit - hmm, was about to check the situation with other languages, however now all the buttons are in arabic so I stopped bothering after the fourth random page.
Great point and I hope the FB security team take notice of your post. Whether or not this guy gets paid, I certainly hope they spend the money to get proper translation of their policies in every language they operate in.
They can't pay people to violate their terms of use or to try to violate the privacy of their users. Even if they wanted to, they're probably not allowed to do that.
So if a security bug was discovered using methods that are against the TOS then the information about the bug is worthless for them and it's better to sold it elsewhere.
The whitehat page explicitly says that you must “not interact with other accounts without the consent of their owners” in order to qualify for the bounty. So yes, apparently Facebook can deny payment and suspend your account if they can reasonably suspect that you violated someone's privacy during bug discovery.
However, it seems that if you don't give them any clues in your report, they'll close their eyes and won't investigate carefully that possibility.
Well according to Facebook, "this is not a bug". Which means the feature works as intended. If he is using Facebook as it is intended, then how can he be breaking the TOS?
When an employee whose job it is to evaluate security issues says "this is not a bug", that determination carries the force of law the same way as if it appeared in the TOS. You cannot rely on people to follow some nebulous "spirit of the TOS" when meanwhile your employees have already made a contrary specific determination for how it applies to this particular bug.
They wouldn't paying him to violate the terms ... and it's not like Facebook has any problem with changing a user's privacy settings without permission - except I guess we probably somewhere in the agreements agreed to allow that, or not hold them accountable - probably both..
"Please use a test account instead of a real account when investigating security vulnerabilities. When you are unable to reproduce a security vulnerability with a test account, it is acceptable to use a real account, except for automated testing."
It's translated. I believe it requires you to be in a local to get this page to display automatically. It certainly exists for people creating accounts in arabic, and absolutely includes the relevant lines.
Does it concern you that ultimately the way the OP got your attention is by posting to MZ's account? Are you sure you'd have ever "discovered" it if he hadn't? I agree that the OP didn't do a great job, but if he's submitting a vulnerability that you really want to hear about and you're ignoring him because of some miscommunication and you ding him for doing the one thing that gets your attention, you're creating an environment where you're less likely to find out about these things.
I think there's a spectrum between letting whitehats do anything (including violating privacy, hurting real user accounts, etc) vs. suing everyone who changes a GET param somewhere. Having a whitehat program with (IMO reasonable) guidelines around not impacting unsuspecting real users seems to me like a good balance and is fairly close to the first part of the spectrum.
Obviously I don't love the end outcome, and this would have gone better for all parties if he had used a test account and included some kind of repro instructions (like that video) in the initial report.
>this would have gone better for all parties if he had used a test account and included some kind of repro instructions
Clearly, but that's not really something you can control. From your perspective, the other side of the tradeoff with "hurting real user accounts" is "leaving open a huge security hole", not "being mean to whitehats when they screw up". I don't disagree that the guidelines seem quite reasonable prima facie and perfectly fair to to the whitehat in some moral sense, but it's unclear if they're actually working. It boils down to, if you had to choose between finding out about this security hole the way you did or not find out about it at all, which would you choose? How many not-quite-so-aggressive versions of this guy are out there, and how many holes are you leaving on the table? Edited to add: If an important way of finding vulnerabilities is people breaking the rules, then the rules suck, regardless of their intrinsic fairness.
It could well be that keeping not-great-communicator/guideline-follower whitehats from reporting some number of bugs through questionable means is actually worth those flaws sticking around. Of course I don't see the daily flow of vulnerability reports to FB (or all the ones that don't ever get reported), so I don't know. But it sounds like a harder question than you make it out to be.
Again: how exactly do you propose that they write a policy that compensates people for violating the security of their users? Not the security of Facebook, but the integrity of their actual users.
We all know this person had good intentions. But good intentions aren't always enough. Facebook doesn't appear to be freaking out at him. They just can't pay him for having demonstrated a vulnerability by hacking someone's account.
Firstly, no idea how you can conclude he hacked an account. A bit strong of language there? Second, does reason not come into play here? You don't have to write a policy to compensate people for violating privacy - however if you have a human making decisions, and not just a drone following written orders, then the ability to make compromises exist. Just no one at Facebook wants to engage and be human it seems.
> Firstly, no idea how you can conclude he hacked an account. A bit strong of language there?
This is like... the textbook definition of a hack.
> however if you have a human making decisions, and not just a drone following written orders, then the ability to make compromises exist. Just no one at Facebook wants to engage and be human it seems.
I love that this statement is downthread of a Facebook engineer's comment that states he considers the guidelines reasonable. It's as if you're just a drone following written orders without the ability to make compromises.
>> Firstly, no idea how you can conclude he hacked an account. A bit strong of language there?
>This is like... the textbook definition of a hack.
Perhaps of "hacking FB", but he didn't "hack an account".
I don't see what the problems are for FB here. They have a moral obligation to reward him for reporting this bug, especially since their ToS are apparently not available in Arabic. Claiming that he showed any sort of malicious/inappropriate behavior is a really bad tactic to save some money when they clearly handled this very badly from the start, while his intentions were obviously good.
All they are achieving by reacting this way (including the apologets) is that next time, such people will just sell their exploits on the blackhat market.
I don't think has anything to do with saving money. It really seems like a case of trying to take human judgment out of the equation. Strict adherence to rules is easy for bean-counters to push but frequently problematic for dealing with real world situations because rules are never perfect.
Facebook really doesn't need to save $10k by not paying this guy. It's about upholding the terms and not setting a precedent.
The blackhat market for Facebook exploits is not huge because the product is centrally controlled and can be patched at any time. It's not like 0-days for products with individual installations that aren't centrally controlled with forced updates - those are clearly valuable.
What incentive does the engineer have to look deeper, and more holistically at the situation? None, especially if he doesn't want to create friction within the company - he can just sit comfortably having followed written protocol. A human with compassion can make compromises, someone following orders can't.
In as much as he posted on another account's timeline without permission, he "hacked" it in the "unauthorized access" sense of hacked.
re: reason; where does his reason come into play? It does not seem reasonable to post to M.Z.'s timeline, I'd guess he did that because he was P.O.ed at being dis'ed by the support people.
In the bureaucratic theory I am aware, if you have rules (policies, proceudres, standards etc.) you need to apply them consistently. Sometimes the rule will allow for discretion, sometimes not. I don't see room for discretion here.
I believe you're comprehending his actions wrongly. He stated before he'd be able to post even onto M.Z.'s timeline, to announce that this isn't a narrow scope issue, and that it was to gain attention. I see no malicious or angered. If of course M.Z. all of a sudden sees some guy, who isn't a friend, posting to his wall - you think he might actually look into it, right?
Yeah, rules that don't take into account reason are inhumane. Similarly why we don't just give everyone 10 years in prison because they committed a crime - you take into account all aspects - and not just apply "oh but he committed a crime, so this is the result."
> They just can't pay him for having demonstrated a vulnerability by hacking someone's account.
I don't see why that is. They already provide the following caveat:
> When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing.[1]
So I don't think there's some kind of legal issue there, if that's what you mean. And you could provide other caveats, like, "you can use a real account if no one is listening to you" (I grant that this may not have helped here either).
I'll reiterate what I said above, which is that the policy is fine, as long as everyone recognizes that it has a strong potential to reduce the security of Facebook. And that ought to raise some sort of alarm, right?
He didn't try to reproduce the bug with a test account though. If he had and it hadn't worked, the fact that he then used a real account would've been acceptable.
"Can't pay him" sounds like bureaucracy BS. I'd argue that it's in their best interest to find a way to pay him. Why make people jump through hoops to report an exploit in your product?
However, it also sounds to me like an opportunity for a bug / exploit reporting proxy business that validates, reproduces, and polishes reports in bulk. You most certainly could extract a much higher bounty per report.
"Can't pay him" doesn't sound like bureaucracy BS, they don't pay him because he violated the TOS, it's on purpose. We could argue this is stupid and the TOS should be changed, but I can understand why they specify that in the process of reporting a bug you use a test account. Violating a real user privacy to report a bug isn't the proper way to report a bug. If they made an exception with this guy then they would have to make more exceptions and possibly set a bad precedent.
I disagree. I don't think that making a case by case assessment is opening the floodgates (that argument is exactly what I would call bureaucracy BS). For an exploit of this severity I would expect them to be grateful to someone who was obviously not being malicious regardless of some silly policy.
How would you feel if he found an exploit that allowed him to make all your private messages public and proceeded to report this by leaking your inbox?
I'm no fan of Facebook, but even I can see why they can't ever encourage such irresponsible behaviour.
Well, we don't need to assess fictional scenarios, we can take a look at what this hacker has achieved.
1) Lots and lots of negative press. (we wouldn't talk about this if this wasn't true)
2) Embarassing the CEO of a company and thereby also hurting the reputation of his company
3) And on top of that he breached his privacy
And you still think that they treated him too harsh by withholding payment?
I mean couldn't he have waited a few more days or reopen the ticket - or maybe just use Facebooks test accounts?
It's not like he waited for ages, he brought this bug to attention last friday.
But yeah, waiting a whole weekend was probably too much for him to take, so he obviously had to post on MZs wall.
It would be great if they said "We can't pay him" publicly then just cut him a cheque privately with the understanding that he not tell anyone he got paid. This way, they can go on with the TOS saying you can't affect real users with your hacks, and the dude that blew the whistle gets the reward.
> how exactly do you propose that they write a policy that compensates people for violating the security of their users? Not the security of Facebook, but the integrity of their actual users.
Otherwise, you should make some good faith effort to not assume devious intentions on someone making a good faith effort to report problems.
> They just can't pay him for having demonstrated a vulnerability by hacking someone's account.
Technically, according to the security person at Facebook, it wasn't a bug. When he did the same thing again on Mark Z's account, it suddenly became hacking. Yeah, he didn't follow a procedure that wasn't available to him in his native language, but he made a good faith attempt to report the bug, and did so several times.
> But good intentions aren't always enough.
Several attempts to contact them despite being told the actions he was taken was not a bug despite clearly explaining why it was?
Slightly off topic, but it would be nice if the test accounts really worked all the time. I've seen a number of cases where entire sections of the site (e.g. http://developers.facebook.com) that error out (return 500's) when using whitehat test account's auth info. This leaves us with little choice but to use real accounts in some cases.
But a member of your team was in control of the outcome and messed up. This guy really wanted to make sure that you guys saw the issue in spite of a member of your team screwing up.
You should be rewarding him, not discouraging him.
I know arguing with someone as stubborn as you is useless, but what can I say?
I hope that the fb'er who replied to him saying "this is not a bug" has been retrained to use the words "we are unable to reproduce this issue, please provide further information or perhaps a video demonstrating the bug".
So no one reasonable is allowed to actually make a decision eh? Must be shitty working at Facebook if decisions don't have a human-compassionate influence to them.
It's plain simple corporativism. The guy escalated the issue to their boss and they are not happy. Since this is probably a failure at multiple levels, they will fight back. It really sucks but it's all very unexpected.
He stumbled around a bit trying to work out how to help, but he brought a flaw to your attention in what he thought was a polite way. If unleashed, this bug could've been used to wreak havoc on Facebook and damage the company's reputation. $500 is the very least FB should be paying.
Exactly, no harm was intended or done. Somebody posting on your wall doesn't even really impinge on your privacy (Hell, for all intents and purposes Facebook do it for profit). Whatever reward, perhaps reasonably reduced, they pay this guy will be cheaper than any bitterness earned from sitting behind a wall of pedantry with big fat righteous grins on their faces.
If they bothered to look at his profile (it's public), they'd see he looks to be a great fan and tinkerer on the Facebook platform.
You're doing good work. Don't be discouraged. You clearly have some talent, and you can do positive good with it. Large companies are wedded to their rules, terms, and systems. As you work more on these sort of things, the process will get easier. As you can see, there are many supportive people here.
Why wouldn't it be? At worst, wouldn't facebook be the aggrieved party, and not another user of facebook?
Suppose I hacked into a bank and stole money from some account. Would the person whose account was hacked be able to have some legal recourse against me? I'd imagine it would be the bank.
If this is the case, then surely facebook could just choose not to press charges, and if so, what would be unlawful paying him in that case?
The bank example's a tad off when trying to draw a correlation to this particular case. I do agree with your sentiment though.
I would reword it and say: if someone pointed out to a stubborn bank manager who refused to listen that the vault and my h of the bank's money was easily accessible, by taking out afew dollars from the bank & handing it to him. The a very embarrassed manager would be right to reward the person for showing the institutions flaw and not robbing them blind.
They might even throw a little fanfare his/her way to send a message that the bank appreciates being told and not robbed blind. (Especially given that they're a "community bank" built by pioneers and not a monolithic marble statue institution :-P)
Posting something on someones wall isn't so much invading as it is leaving a sticky note on their door. By that metric UPS invades peoples homes quite regularly when they fail to deliver a package. Had he actually accessed any non-public details of a users account that might be one thing, but the only data he was able to view was the post he had created himself. In short, it was his data, from his account, it just happened to be located on someone else's page. Honestly it's not even that bad of a vulnerability, more like a mild nuisance.
They will pay for reporting of the bug. What's with the apparently intentionally inaccurate description of his actions? All he did was post to someone's wall, that's hardly "invading someone's account".
You're right; I am officially derisive of this discussion. You know I'm not making an argument by trying to characterize this person's actions as malicious, but you keep raising that idea as an issue, because you actively don't want to understand what's happening in this situation, but would prefer instead to demonize Facebook's security team.
You seem to be making an awful lot of excuses to not just pay someone who brought to light a critical exploit. Do you work on the security team or are you a lawyer (maybe with a panicking accountant looking over your shoulder) trying to find fine print reasons say, "Aha! We can save money to our bottom line in this instance!" ? Do you know how silly it looks for you to make these excuses?
The situation is the guy in good faith tried to give them repro steps and report a critical bug. Technically he fucked up and didn't do it on a white hat account. No harm was intended or done. They are denying him his reward based on a technicality. If that FB employee is not some lawyer trying to cover their asses, then he should want to pay this person and make it happen via some exception. If they truly didn't care about the money and wanted to pay more bounties they would do this. There is no danger of ruining the integrity of the ToS as another replier suggested. In future incidents they are free to not make an exception. In this case, it was all in good faith and the guy didn't know the proper procedure.
They're not "denying him the reward". He demonstrated the vulnerability on someone's actual account. They can't pay people to fuck with other people's accounts. That's not what bug bounties are about. Only on a message board is this hard to understand.
A very specific message board, it seems like. /r/netsec is having no trouble understanding it.
Which leads me to believe most people commenting are not doing so with an actual understanding of the situation, and are instead viewing this solely as Big Bad Facebook vs innocent hacker.
No, you just refuse to think about the larger picture. I went out of my way to say that this person wasn't deliberately harming anyone.
You're acting as if there's no precedent implicated in Facebook learning of someone violating both their normal ToS and the terms of their bug bounty program by compromising someone else's account, and then paying them a reward.
It's understandable it's just not the right mentality towards someone that hacks for profit and bug bounties generally target this ($500 though is hilarious). Effort and time is supposed to be directly related to payout, if it takes more effort and time for less of a payout then the bug reporting is broken.
That is a vague reply with no apparent relevance to anything I said except the amount $500 which was not to be taken literally. My point was that facebook isn't doing this to save money and believing so is idiotic.
You apologise and pay the guy. Then you write it up as a public case study in very simple English. At each step point out what he should have done. That means the next people know what to do, and everything comes out positively from this.
At the moment the loud and clear message is that there are far more welcome places than Facebook to report found issues.
Is your whitehat page translated to other languges? If I select a different language, only the login and footers are translated. I don't think you can reasonably assume that non-English speakers can understand the entirely English whitehat page.
Additionally, if you're not logged-in, then the test accounts page doesn't work. It redirects to the same page as facebook.com/whitehat, with no notification that the test accounts page even exists.
The right thing to do is add Khalil to the white hat list, and pay him what he deserves. He doesn't speak or read English as you have noticed. Your TOS for white hat page is NOT even translatable.
He used real accounts because your team did not care what he had to say. What do you think he should have done? Sell it to the black market?
But couldn't your team be a bit grateful? Though he did post to Zuck's account, he didn't sell the vulnerability as a zero day on the black market, no?
A cheap insurance policy, making the payout, cultivating trust with white hats who are nonetheless decidedly a bit bone headed (if not well meaning).
I agree with you that facebook should not pay for the bug since he violated the policy, instead, facebook can consider offering him an interview opportunity and sponsor him a trip to facebook.
> many of the reports we get are nonsense or misguided
Alright, here's a preemptive question for you then.
Should a logged in user be able to retrieve the email addresses of an arbitrary friend, regardless of their contact privacy setting being set to "only me"?
Thanks also that was a typo. First time I have ever heard it was in these comments. We don't ever use it where I work and I deal with customer reported bugs every day.
This is crap and you're embarrassing yourself and Facebook.
You all are lucky that people are sharing this stuff with you guys for $500 instead of on the black market for much more. You're also lucky that people are doing the job that highly-paid Facebook engineers should have done. And if I read between the lines of your post, you and your team think that you're pretty clever.
The right thing to do is to cut this guy a check for $500 and keep your mouth shut, before people stop reporting security bugs to you.
I know I'm already discouraged--if I find anything, the last thing I want to deal with is a mediocre engineer telling me I didn't fill out the TPS form the right way.
the language barriers are enough to justify any mistakes made in conforming precisely with the t&cs. he didn't abuse the hack. he reported it to you. pay him tbh.
Although, Mr. Shreateh did not follow the Facebook TOC to the letter, as written by Facebook's legal team, he did operate in good faith, according to the Yahoo article, quoted below. Whether or not Facebook legally owes Mr. Shreateh $500 + change or not, the potential PR costs and being "cheap" image is one I would hope does not attach itself to Facebook - leave that to Walmart.
"So when a security researcher named Khalil Shreateh from Palestine found a bug that let him post stuff to other people's Walls, he reported it to Facebook.
That bug is a spammer's dream. To prove his bug was real, Shreateh posted something to Sarah Goodin's wall, a friend of Facebook CEO Mark Zuckerberg.
He then contacted Facebook's security team with the proof that his bug was real, he explained in a lengthy blog post.
Facebook has a bounty program where it pays people to report bugs instead of using them or selling them on the black market. In this case, instead of fixing the bug and paying the researcher the $500+ fee, Facebook told him "this was not a bug," according to an email that
Shreateh shared.
Shreateh says he tried a second time to warn Facebook and when that didn't work, he used the bug to post a message to Mark Zuckerberg's Wall."
You discover a bug on FB just by being a normal user not a "whitehat" security user:
* You discovered it by doing "something" to someone else account --> FB will not pay : SELL on black market.
* You think the bug isn't really a bug but then it happens again --> FB will not pay : SELL on black market.
* You have a life that you don't want to waste with reading through legalese and filling out forms. FB says it is not a bug. Maybe they are right? You don't want to spend the time arguing about it over email --> SELL on black market
* You are not a lawyer, or do not do security testing full-time on FB. Or you are a normal user who has not kept on the FB ToS now that we are on the 100 billionth version --> You probably did something wrong. --> FB will not pay : SELL on black market.
* You are a US citizen and do not want to be charged with CFAA violations as a hacker --> SELL on black market.
So can I report the same bug under the guidelines and get paid for it, or did you rob him and patch it already? Just pay the man, as a programmer a simple bug like this is a huge no no in the engineers part, and not rewarding the user for his conduct is plain selfish of the company.
Facebook is wrong on this issue. OP made a good faith effort to report the problem. When this failed, he demonstrated the bug in a non-destructive way. He did not post maliciously, nor did he use the bug to obtain confidential information. When the channel set up by Facebook failed, he took the problem to the CEO. I will post this issue to various social media outlets until the OP is fairly compensated. Facebook's actions here are deplorable and discourage users' efforts to report bugs.
I worked in FB before so I understand that it's kind impossible to track all the bugs/reports received without clear information provided. However, you can easily tell this guy is humble and not really trying to show off, it's the one who simple wrote "this is not a bug", instead of asking for more information, putting him to actually hack Mark's page.
For a better PR, pay him and use this case as an example to teach the future whitehats. FB has low esteem for a reason.
Exploiting bugs to impact real users is not acceptable behavior for a white hat
It's pretty arrogant of Facebook to redefine the meaning of white hat don't you think? Posting to the Facebook founders page to let them know of a security vulnerability is not malicious, plain and simply, not. Trying to steer the embarrassment of your failings because this guy didn't read your TOS is incredibly hypocritical.
And you base that on what? Sending someone a message to give them a heads up on their security, no matter the medium used, is not malicious behavior, if you feel it is .. well, the world must be a very scary place for you.
With all respect, obviously you was able to reproduce the bug and fix it. Maybe you forget, that language barrier to Palestine can be an issue too, so because you make not clear what you asking for, when he send you back a link. Obviously it is more work to post on Mark Zuckerbergs Page than respond in the way you want.
Plus i am very sure, the mistake was on Facebook ends in the first place. I experienced it myself: Since 6 month now i try that Facebook take action, because the break of privacy issues and violation of Facebook terms by a Facebook user - i even not give an response on any channel in tried.
If you really do not give him his reward for the Report and keep you informed, than this is extremely unfair from facebook end. IN this case i strongly recommend WhiteHat Hackers in future cases: Do not count on Facebook Team, publish bugs and security issues on Blogs. Obviously the Facebook team give priority not based if a problem is urgent, only how "public" it is.
In all honesty I think you guys are being extremely harsh with a man that has pointed a huge problem on your website. He has done Facebook a huge favour and instead of paying him, you have the nerve to refer to a TOS not written in his first language as an excuse.
This will lead to bad publicity for a multi million dollar company like yourselves. The man looks really poor and if he wanted to he could have made a lot of money selling that exploit to spammers. However he decided to do the ethically right thing, only to be stabbed in the back by Facebook. I cannot believe that a company of your size and magnitude would stoop so low, its pathetic!!!!
Just on that basis I will boycott Facebook as your organisation seems to have lost all of its good morals!!!!!
By him demonstrating something which Facebook clearly stated "...is not a bug" at the time, Facebook can't claim he violated the ToS. If it was not a bug, he was taking advantage of a feature which Facebook gave him the liberation to by stating so. The moment Facebook claims it is a bug, that contradicts what Facebook told him in the email, and thus it is Facebook's fault, not his. Facebook REALLY should not have said "this is not a bug." Facebook then had few options: to leave this as a feature (which is ludicrous), or treat it as a bug and redact what was stated in the email, which means Facebook should pay the damn man. You can't lie in an email and then pull a 180 when it's convenient for you.
What you've just done is create a disincentive for "researchers" to report vulnerabilities to you. The next time Kahlil or someone else finds a vulnerability (and there will be a next time), he/she/they will simply use it and/or sell it. Kahlil did the right thing, at the end of the day, and only broke Facebook protocol in order to get your attention because you ignored his first (legal) notification of said bug. If you don't pay him, you'll have a hard time with credibility in future cases.
In addition to all of that, it's the right thing to do.
If you admit that "you should have pushed back asking for more details" than you should also admit that because of that, you are partly liable for the fact that he did go beyond the explicit rules. Now, are those rules also in Arabic? Also, how are you to encourage users to work with you in a quick, efficient manner, if these kinds of things are bogged down with red tape? It's only $500. Perhaps, you should change your rules to make the system for bug reporting easier, efficient, and a bit more egalitarian. Best,
LJ
That's ridiculous, he didn't use the accounts of real people. Real people wouldn't have elicited the FB security team response within minutes. Real people don't have a "follow" button on their wall. He used the one account that got your attention and was not malicious and he deserves to be paid. You know damn well your terms are meant against maliciousness and spammers. Your stance is petty.
You guys should hire the guy since he showed the world what a big flaw that was, instead of selling it he kept on trying to tell to the company. He should be seen as a hero by Facebook!
Shows how many issues there should be that are not taken into account.
BTW: English not being the primary language for these folks has not to do with anything, shows how much stereotype there's in being American or not. It's a global world, wake up!
I think we all know the signal-to-noise-ratio on the internet is a bit whack. So it seems entirely plausible that this was all due to an improperly formed submission.
That being said I think Facebook could have given the reward and a slap on the wrist at the same time considering the language barrier.
Considering the language barrier, a slap on the wrist is less appropriate. Facebook could have used this opportunity to publicize explaining to Khalil that his bug finding techniques are not in accordance with the guidelines and garner good will by paying him the $500 as an exception to the rule. The media would be frantically covering how facebook in spite of its guidlines decided to thank the person who reported the bug and overlook an apparently innocent mistake. A missed opportunity on facebook's end.
So the security person who said "This is not a bug," - what's happening there? If they had guided the guy reporting the bug, asked for more information or directed him to the expected methods for reporting, then this would have likely gone completely differently, right?
By the time he'd reported it, he had already used the exploit to post on a live, non-friend, account. As far as I understand , that's already a violation of the TOS.
It's fairly obvious he didn't understand the whole whitehat accounts he should have been using. English isn't his first language, so should we fault the guy for that - or Facebook who's an international company - with 1+ billion users? Or should Facebook own up to that they should probably update their documents - or give the guy a fucking break because they haven't done that? This is where you need REASON to react REASONABLY, and not just use a blanket statement to "make their life easy" in decisions like this. That's lazy and inhumane.
Highly unfair that you aren't paying him, TOS or not. Additionally, one could argue that your TOS is bad to begin with. It could be re-written to properly account for this situation. This guy did not have malicious intent - that is the bottom line and all that matters here.
You could have just replied with the name of a test account and told him to post to that one to verify the exploit. In that way you would avoid any permission problems with real accounts.
Pay the guy! He could have sold it and made lots of money. He was trying to do the right thing. Too bad he had to go to such extremes to get someone's attention.
How about looking into paying this man for his honest bug finding work? The response from FB on this is disgusting.
"We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site.
We have now re-enabled your Facebook account.
Joshua
Security Engineer
Facebook "
Non-rhetorical question: is your team concerned that not paying out a bounty for this report may be exploited by anti-semitic groups?
I can already picture people saying "of course, Mark Zuckerberg would refuse to acknowledge the work of a Palestinian." (regardless of the fact that Mark Zuckerberg describes himself as an atheist)
As many others have said: The TOS was only available in English and that's not his first language. He did the only thing he could to get your attention and fix the problem.
Yeah, the moment we realized what was going on, it was like one of those horror stories you tell as a kid: "...the call was coming from INSIDE THE HOUSE."
The only way an attacker could have come across this URL would be if they had access to our codebase specifically - the string in the "extra_log" param was hardcoded in the PHP endpoint. It didn't even occur to me that they might have placed it there. Only when someone pointed out that this param was actually md5("october") did we start to wonder if it might be a drill.
Second plumber comes and is somewhat perplexed - he pulls up roots and suspects they've grown into the line. But it's drilled out and should work now. Two days later, the drain backs up again.
Third plumber comes out and goes in from the roof vent. After about an hour of rooting around, his snake pops up through the drain and starts whackkity-whacking around the shower. He's very surprised and a bit sheepish, and suggests there's a bigger problem and we should rip out the shower to have a look at what's under it. Doesn't pretend that he's fixed it. I'm using a different shower at this point.
Fourth plumber arrives to give a second (err, fourth) opinion and is similarly perplexed, saying we likely need to rip the shower up to fix things.
Fifth plumber agrees, and says he knows a guy who can do it.
Sixth plumber is actually not just a plumber, and arrives with a jackhammer, two buddies and a fancy proble that lets him follow where all the pipes go under the house (both with a camera in the pipe and a machine that follows where it goes physically). Scopes things out for a bit, and then goes to town on the other bathroom, eventually jackahammering and digging a roughly 5 foot cube out from under the bathroom.
It turns out when they redid things in the house 15 years ago, someone failed to actually connect the drain from the shower to the sewer, so it had just been draining into the ground. Whoops!
While they were down there, they ran a new sewer pipe out to the municipal line as well. This part was pretty cool. Rather than digging up the whole yard, they just ran a 1/2" steel cable through the old masonry pipe, hooked it to a solid steel cone, and pulled the cone through with a hydraulic winch, trailing some pvc behind it. As it went, it busted apart the old pipe and put a new one its place. All in all a pain in the ass, but neat to see how they approached things.
Aside: I also have and love Amica. They've covered a couple claims for me and have been very easy to work with.