Say you’re a security researcher and you’ve found a pretty serious bug on Facebook. They you wanted to do the right thing by reporting it not once but twice but no action was taken. What do you do? If you’re Whitehat Palestinian hacker, Kahlil Shreateh, you hack Mark Zuckerberg’s personal timeline, leaving both an explanation and an apology. Here’s the details:
Frustrated, Shreateh decided to use the glitch to hack into Mark Zuckerberg’s profile page. In a post which has since been removed, he apologised for breaking Zuckerberg’s privacy, adding: “I had no other choice… after all the reports I sent to Facebook team”.
In less than a minute, Shreateh’s Facebook account was suspended and he was contacted by a Facebook security engineer requesting all the details of the exploit.
I guess the take home message is that if you want Facebook to take you seriously, all you have to do is hack Mark Zuckerberg’s Facebook page. Though Facebook denies that this the case:
In a Hacker News thread, Matt Jones from Facebook’s security team confirmed that the bug has now been fixed, admitting that the company should have asked more details after Shreateh’s initial report.
“We get hundreds of reports every day. Many of our best reports come from people whose English isn’t great – though this can be challenging, it’s something we work with just fine and we have paid out over $1 million to hundreds of reporters,” he said.
“However, many of the reports we get are nonsense or misguided, and even those (if you enter a password then view-source, you can access the password! When you submit a password, it’s sent in the clear over HTTPS!) provide some modicum of reproduction instructions. We should have pushed back asking for more details here.”
Sorry, but I find this to be a really lame response. If you are serious about security, you have the responsibility to always follow up on security hole bug reports. Failure to do so pretty much makes you incompetent or you don’t care about security. This is a big reason why I do not have a Facebook account and never will. Now I don’t advocate this sort of behavior, but I guess if you’re trying to do the right thing and the organization that you’re trying to help doesn’t care about you doing the right thing, public shame is the only way to go I guess.
Hopefully Facebook learns its lesson and changes their behavior in this regard.