Earlier this week, security researcher Khalil Shreateh discovered a Facebook bug that allowed a hacker to post on anyoneâs wall â" even if they werenât that personâs friend.
While he was able to prove to Facebook that his bug was legit (despite an initial response that it wasnât a bug at all), Facebook wasnât too happy with the way he did it: by using the bug to post on Zuckerbergâs otherwise friends-only wall.
Security research can be a pretty tough balancing act. If you donât follow a companyâs responsible reporting terms to a T, you might be robbing yourself of your fair share of recognition and, if the company is one of many that gives bug bounties, a chunk of cash. Alas, exploiting your way onto Zuckâs timeline⦠doesnât exactly comply with Facebookâs reporting rules.
In his initial report of the bug, Khalil demonstrated that he was able to post on anyoneâs wall by submitting a link to a post heâd made on the wall of Sarah Goodin (a college friend of Zuckâs, and the first woman on Facebook.)
Unfortunately, the member of the Facebook Security team who clicked the link wasnât friends with Goodin, whose wall was set to be visible to friends only. As a result, they couldnât see Khalilâs post. (While Facebook Security can almost certainly over-ride privacy settings to see anything posted on the site, they didnât seem to do that here)
âI donât see anything when I click the link except an errorâ, responded Facebookâs Security team.
Khalil submitted the bug with the same link again, explaining that anyone investigating the link would need to either be Goodinâs friend or would need to âuse [their] own authorityâ to view the private post.
âI am sorry this is not a bugâ, replied the same member of the Security team, seemingly failing to grasp what was going on.
Khalil responded by taking his demonstration to the next level; if posting on one of Mark Zuckerbergâs friendâs walls didnât get his point across, perhaps posting on Zuckâs own wall would?
On Thursday afternoon, Khalil posted a note into Zuckerbergâs timeline. âSorry for breaking your privacy [to post] to your wall,â it read, âi [had] no other choice to make after all the reports I sent to Facebook teamâ.
Within minutes, Facebook engineers were reaching out to Khalil. Heâd made his point.
Through Facebookâs whitehat exploit disclosure program, security researchers are paid at least $500 for each critical bug they report responsibly. $500 is just the minimum â" the size of the bounty increases with the severity of the bug, with no set maximum.
Alas, there would be no bug bounty for Khalil. Amongst other terms, Facebookâs bug disclosure policy requires researchers to use test accounts for their investigations and reports, rather than the accounts of other Facebook users. By posting to Goodin and Zuckâs walls, heâd broken those rules pretty much right out of the gate. His reports also didnât include enough detail of how to reproduce the bug, says Facebook:
Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it. We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue. When you submit reports in the future, we ask you to please include enough detail to repeat your actions.
We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site.
Since Khalilâs initial post went up on Friday, thereâs been a healthy debate as to whether or not Facebook should be paying him a bounty. On one hand, he broke their disclosure rules (perhaps unknowingly â" as many have pointed out, Facebookâs disclosure terms are only available in English, which doesnât seem to be Khalilâs first language); on the other, he was seemingly trying to report it responsibly rather than selling it to spammers.
Even Facebookâs own engineers have entered the discussion. On Hacker News, Facebook Security Engineer Matt Jones laid things out as he saw them:
For background, as a few other commenters have pointed out, we get hundreds of reports every day. Many of our best reports come from people whose English isnât great â" though this can be challenging, itâs something we work with just fine and we have paid out over $1 million to hundreds of reporters. However, many of the reports we get are nonsense or misguided, and even those (if you enter a password then view-source, you can access the password! When you submit a password, itâs sent in the clear over HTTPS!) provide some modicum of reproduction instructions. We should have pushed back asking for more details here.
However, the more important issue here is with how the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behavior for a white hat. We allow researchers to create test accounts here: https://www.facebook.com/whitehat/accounts/ to help facilitate responsible research and testing. In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent.
What say you? Should Facebook bend the rules and shell out? Would breaking the rules set a dangerous precedent?
Tidak ada komentar:
Posting Komentar