After white hat researcher hacks Mark Zuckerberg’s timeline, Facebook vows to improve communication
Facebook CEO and Co-Founder Mark Zuckerberg loves building a hacker culture, but when his own timeline was hacked, things got a little serious.
White hat research Khalil Shreateh tried to get Facebook’s attention regarding a bug that would allow a hacker to post to anyone’s timeline, but didn’t get much of a response from the company. Facebook responded to Shreateh, saying that what he brought to their attention was not a bug. Feeling that his claims were falling on deaf ears, Shreateh went all out and hacked into Zuckerberg’s timeline.
Facebook responded, saying that the white hat program “failed,” in its communication with Shreateh.
In a post on the Facebook Security blog, Facebook Chief Security Officer Joe Sullivan outlined changes that will happen as a result of the snafu:
We should have explained to this researcher that his initial messages to us did not give us enough detail to allow us to replicate the problem. The breakdown here was not about a language barrier or a lack of interest — it was purely because the absence of detail made it look like yet another misrouted user report. An example of the type of detailed report we encourage is the video this researcher released after the fact. Most researchers will provide that level of detail in their reports to us, and this is the type of granularity we need to investigate reports and, if they’re legitimate, reward the people who submitted them.
We will make two changes as a result of this case: (1) We will improve our email messaging to make sure we clearly articulate what we need to validate a bug, and (2) we will update our whitehat page with more information on the best ways to submit a bug report.
We will not change our practice of refusing to pay rewards to researchers who have tested vulnerabilities against real users. It is never acceptable to compromise the security or privacy of other people. In this case, the researcher could have sent a more detailed report (like the video he later published), and he could have used one of our test accounts to confirm the bug.
Image courtesy of Khalil Shreateh.