Sounds like just another reason to avoid facebork at all costs.
Bug-finder chucked for posting to Zuck
A Palestinian IT graduate has had his account disabled and been told he won't be paid a bug bounty after demonstrating a Facebook security vulnerability by posting an image into Mark Zuckerburg's timeline. As explained in this blog post, Khalil Shreateh discovered a vulnerability that allows an attacker to post images into …
-
-
Monday 19th August 2013 00:22 GMT NomNomNom
Re: ...and here we se the "Head In The Sand" approach to system security...
If you were on Facebook you could have added that message to your timeline and your Friends could have Liked it. But you are not on Facebook so this did not occur.
Why you not on facebook? You are an inexplicable mystery conundrum.
-
-
Monday 19th August 2013 13:04 GMT Tim Parker
Re: ...and here we se the "Head In The Sand" approach to system security...
"Probably because he's already seen all the mindless drivel most people post on Facebook and all of his friends prefer to meet at the pub instead for a pint. Or not."
There's the possibility that there's been an irony failure here - especially considering his second post. Or not.
-
Monday 19th August 2013 20:36 GMT Jonathan Richards 1
Re: ...and here we se the "Head In The Sand" approach to system security...
Not an irony failure, exactly. Picture the scene - Nom stands in the shallows of the digital river in his Waders of Anonymity and ties a "poor english Facebooker freind"* to his line. Casting it lightly above the swirling Reg forums, he skillfully lures the Lesser Commentard to the surface. Occasionally one will froth and writhe for his amusement, and for that of onlooking admirers.
A pint behind the bar for Friday, Nom.
*Yes, sic. There's a bonus for somebody being lured into using Jimmy Edwards.
-
-
Monday 19th August 2013 06:20 GMT Anonymous Coward
Re: ...and here we se the "Head In The Sand" approach to system security...
Instead of those of us NOT on Facebook or Twitter explaining why we are not signed up, perhaps you could explain the top 10 compelling reasons why we should be on it/them?
Please note that saying that I can communicate with friends is not good enough. Most of my friends are not on them either (but for different reasons to me)
-
Monday 19th August 2013 06:28 GMT ratfox
Re: ...and here we se the "Head In The Sand" approach to system security...
I joined at the time to participate to a discussion/group/whatchamacallit.
But indeed, the most important attraction is to read what is happening to your friends, assuming what they write is not "had a donut today" and rather "will be in NY next week-end, anybody there up for a drink?"
-
-
Monday 19th August 2013 11:07 GMT Steve 13
Re: ...and here we se the "Head In The Sand" approach to system security...
Surely 1 good reason to use facebook would be enough of a reason to use it.
Nobody claims that email is secure, but you use that (I guess), and I doubt that anyone can list 10 reasons to use email without some of those reasons being subsets of a reason already listed.
There are reasons to not post too much personal information on facebook, and I certainly don't care if you don't want to use it, nor do I want to convince you to use it. But the inverse IT snobbery being demonstrated by a lot of posters is a little bit ironic IMO.
-
-
Monday 19th August 2013 12:24 GMT Bill B
Re: ...and here we se the "Head In The Sand" approach to system security...
I don't have 10 top reasons for being on facebook and I admit my use of it is only applicable to myself, but here goes.
I have family scattered across the States, Canada, New Zealand, Australia and Italy. I have an equally scattered circle of friends. I use Facebook to keep in contact with all of them, share what we're doing, family pics and news. Before Facebook we used email with a BIG circulation list.
Security is set to Friends (sometimes 'Friends of Friends') but specifically family stuff is limited to a Facebook group.
I don't tend to 'friend' people I'm in everyday contact with because .. well .. I see them everyday. But Facebook has been a really good medium for maintaining contact with distant family and friends.
Facebook isn't for everyone. On the other hand, there are some things it does well, which is, I assume, why it survives. If you have an alternative method of keeping in touch then sure, let me know.
-
Tuesday 20th August 2013 05:06 GMT nanchatte
Re: ...and here we se the "Head In The Sand" approach to system security...
Why do I have to give 10 compelling reasons to YOU? As with most free(mium) services, if you're sensible about using it and apply it correctly, it's a nice free tool that can generate income.
I have two Facebook accounts... one to keep in the loop with friends and family back in England and another for my business. Many of my customers in Japan use Facebook. In fact, I'd go as far to say that Facebook is rampant among certain (my target) demographic. My income has increased about 300 pounds a month since I started my Facebook page just three months ago and customers are increasing steadily, TYVM. That buys a lot of Friday night beer at the pub.... Yes, Facebook and beer are NOT mutually exclusive.
-
-
-
-
Monday 19th August 2013 00:49 GMT Shannon Jacobs
OTHER is NOT an option for security
Does reply post this count as an open letter to Facebook? I also tried to report some problems to Facebook via the official Facebook channels. I don't think they were listening, and anyone who trusts Facebook with ANY sensitive data is a gigantic fool
Hey, let's try persuading the black hat hackers that they have to play by the rules! Isn't that a brilliant idea?
Listen here, you morons of Facebook:
The essential nature of security threats is that you do NOT know what they are in advance--or you would have blocked them already and they would NOT exist as security threats. Sometimes that means the reporting mechanism may not be suitable for accepting the information. You ALWAYS need an OTHER channel. Shooting the messenger for YOUR incompetence is NOT a solution.
In conclusion, I do NOT trust Facebook at all. However, I don't think they are yet as EVIL as the google has become. It's just that the amazing incompetence of Facebook combined with the sensitive personal data makes Facebook much more dangerous.
-
Monday 19th August 2013 07:30 GMT Anonymous Coward
Re: OTHER is NOT an option for security
In conclusion, I do NOT trust Facebook at all. However, I don't think they are yet as EVIL as the google has become.
THE Google? :). I disagree, evil through malice or evil through ignorance is still evil. I'm not defending Google (I agree with your original statement), but it must be observed that FB started with a hack, whereas Google started with a product that people actually wanted (search) because it was indeed far better than the competition. FB is basically large scale social engineering.
-
Tuesday 20th August 2013 12:34 GMT Solmyr ibn Wali Barad
Re: OTHER is NOT an option for security
They tried to handle matters as a typical $BIGCORP. There is an official process for reporting problems - and like most official processes, nearly impossible to use in practice.
But there is a difference, though. They have Zuck. He is quite able to go nuclear on this "process".
-
-
Monday 19th August 2013 04:13 GMT Chairo
WTF?
since Facebook's team wasn't friends with the target account he used to demonstrate the bug, they could not see the links he provided
Facebook's quality team is not able to see all Facebook postings? There is no one with admin rights that could check some bug report out?
Is this a sign of incompetence or just laziness?
-
Monday 19th August 2013 06:21 GMT Anonymous Coward
Instead of saying "facebook is evil, i never went there, aren't i a clever OLD bofh"..
Why don't the comments here show a little sense and perhaps suggest that the terms of the facebook bounty are contradictory to the ToS and therefore constitute and unfair contract in the eyes of UK law anyway.
If i was him, i would now be exploiting this to post all sorts of sh*t all over facebook.
If they want to c*nts about paying him, he should show them the value of report and what the exploit could do if in the wild.
They are only slapping him down because anyone who is sheep enough to report a problem to facebook and expect them to care is a fool.
All big US corporations (led by apple) have nothing but contempt for their customers when comes to treating them like humans, so any fan-bois is already a brain washed idiot that the company can treat badly.
-
Monday 19th August 2013 07:33 GMT Anonymous Coward
Re: Instead of saying "facebook is evil, i never went there, aren't i a clever OLD bofh"..
If i was him, i would now be exploiting this to post all sorts of sh*t all over facebook.
If they want to c*nts about paying him, he should show them the value of report and what the exploit could do if in the wild.
The first was a warning of a vulnerability, which is acceptable in most jurisdictions. What you are proposing would amount to breaking the law. IF FB want to be cheap bastards, fine, but I think the guy would be smart not to do anything criminal. The facts are out there now, no doubt others will start doing this already until FB fixes the problem.
Oh, and yes, I agree with most people that FB's response was exceptionally lame and appears more aimed at not having to pay out the bounty. Translated: any further vulnerabilities will no longer be reported. Well done, morons.
-
Monday 19th August 2013 08:48 GMT Thunderbird 2
Next Time
Farcebook just escalated things.
Next time a bugfinder finds a bug they wont report it until they have a second and more deadly bug with which to backhand volley the "we wont pay the bounty/we will suspend your account" attitude. The backhand volley being publically reported in as many forums as possible and resulting in complete pawnage / outage.
Will Zuck fire the security teams, or the people that didnt authorise bounty payment
-
Monday 19th August 2013 09:01 GMT volsano
Bugs, features and no-nos
Odd. He had been specifically advised by facebook that the behaviour was not a bug.
So he used the behaviour exactly as facebook knew it could be used.
They then went all TOSsy with his ass, told him that Terms of Service trumps Security Team.
Tells us all we really need to know about facebook's technical priorities.
-
Monday 19th August 2013 15:17 GMT Anonymous Coward
Re: Bugs, features and no-nos
"He had been specifically advised by facebook that the behaviour was not a bug."
This seems to be a standard modus operandi with FB's Security Team. <SARCASM>It's a "feature" not a bug... sound familiar?</SARCASM>
I reported something fairly recently which as it turned out had been highlighted years previously (https://www.quora.com/Facebook-1/Are-Facebook-pictures-really-private-and-are-they-hosted-on-Facebook-servers). All your photos posted to Facebook or Facebook chats are stored directly on Akamai servers without any authentication. So any Privacy settings you apply to those items mean sweet bugger all as you can copy the URL to that image and send it to all and sundry to view without them having to log in to Facebook and be constrained by any controls you have placed on the pictures (including setting the permission to "Just Me"). This is something Facebook Security do not view as a problem and thus will not change. Object storage security in the cloud (for me at least) is a basic requirement.
Yes, it doesn't stop people permissioned to see it from saving it and distributing it (which is FB's Security's excuse as to why they won't fix it). I do see that as a valid possibility, but for them to not bother with securing your attachments in the "cloud" makes you think what other corners are they cutting? I did ask the question as to why the Privacy controls exist on the pictures in the first place if it can be bypassed this way - no response to that question.
Not that I advocate this in anyway but it sounds like a very plausible possibility for a trojan to harvest out URLs of pictures posted by FB users to be then used for nefarious / bribing purposes at a later date. This was an idea floated to FB Security but was dismissed given that a trojan compromise would effectively "own" the computer. Fair point, but knock up some malicious Javascript and that would do it.
Regarding corner cutting, there's one other issue I've reported but we are still discussing the merits of it so cannot talk about it here. Whilst low risk, it's quite basic that I am surprised this wasn't caught earlier.
Yes, the URLs of pictures uploaded to Facebook (for now) are (potentially) random enough to prevent enumeration of photos posted by folks but security through obscurity is never a good approach and doesn't mean it won't be broken in the future.
The fix? Well, authenticate all photo URLs back to FB and honour the Privacy settings. But I think someone has made an engineering decision that this would be quite expensive from an implementation point of view to have Akamai's offering linked in with FB's authentication / privacy system.
-
-
Monday 19th August 2013 09:04 GMT Roo
Mindless retaliation.
He was contacted by Facebook's security goon *after* he defaced Zuck's timeline, clearly it wasn't an issue that he broke the ToS when he tried to demo the bug with a friends account, therefore I suspect his account was suspended due to Zuck taking his account defacement personally.
Poor show from the goons in the first place though, if they couldn't validate the exploit because they couldn't access the demo account they should have created one they did have access to and told him to test against that instead.
-
Monday 19th August 2013 09:06 GMT Jon Green
What did he expect?
Attacking the Facebook CEO's page? That was never going to end well.
In his blog, he says, "i has [sic] no choice than to post to Mark Zuckerberg's timeline". This is far from true. If he wanted to demonstrate it, he should have created a new FB account, and used that to post images into the timeline of his own home page, or onto that of someone high-profile with whom he'd agreed the stunt.
-
-
Monday 19th August 2013 10:11 GMT Jon Green
Re: What did he expect?
@Dan He didn't create another account, and it's by no means clear that his original demonstration was with consent.
If you read his blog post, from which I drew the quote, you'll see that he posted to the timeline of someone who was (or is) at the same college as Zuckerberg attended. Whether or not with her permission is unclear, but, since he wasn't in her friends list, it's not unreasonable to suspect it was not.
The only responsible way to demonstrate a vuln like this is to use two mutually-unfriended accounts, both under the control of the tester. Far from being the only recourse left to him, posting to Zuckerberg's timeline was a publicity stunt by Shreateh, and someone with an IT degree ought to have the security nous to realise that it was inevitably going to backfire.
-
-
-
Monday 19th August 2013 13:02 GMT Anonymous Coward
They should consider themselves lucky that he didn't sell it to malware distributors or "financial terrorists" after being ignored the first time - let me put it this way, if someone had a bot net set up to blast unpleasant things all over facebook, invade privacy and compromise user's machines, what would it have done to their share price?
Now, will the next person who is ignored persist in trying to get his(or her) $500, of might they take the less ethical route, in light of this researcher's experience?