Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Researcher Makes His Point By Hacking Into Zuckerberg's Facebook Page

samzenpus posted about a year ago | from the do-you-see-it-now? dept.

Facebook 266

Eugriped3z writes "Whitehat Palestinian hacker Kahlil Shreateh submitted a bug report to Facebook's Whitehat bug reporting page not once, but twice. After it was ignored the first time and denied outright on the second occasion (which included links to an example as proof), he hacked Mark Zuckerberg's personal timeline, leaving both an explanation and an apology. From the article: 'In less than a minute, Shreateh's Facebook account was suspended and he was contacted by a Facebook security engineer requesting all the details of the exploit. 'Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it,' the engineer wrote in an email. 'We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue.' Facebook has a policy that it will pay a minimum $500 bounty for any security flaws that a hacker finds. However, the company has refused to pay Shreateh for discovering the vulnerability because his actions violated Facebook's Terms of Service.'"

cancel ×

266 comments

Sorry! There are no comments related to the filter you selected.

Take it public (5, Insightful)

scubamage (727538) | about a year ago | (#44607069)

Screw them, the onus is on them to take action when someone reports a bug. If you don't have enough information when there is a security problem, maybe, JUST MAYBE, you should follow up with the submitter. If I was the submitter I'd just publish the exploit and be done with it.

Re:Take it public (4, Insightful)

gl4ss (559668) | about a year ago | (#44607111)

They don't follow up on anything, I checked.

It might be because they're so swamped or maybe it's that if they feel like it's not their bug then they don't do anything. Either way not very responsive.

Re:Take it public (5, Insightful)

Anonymous Coward | about a year ago | (#44607305)

I'm a QA analyst, and the quote: "We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue." is totally incorrect. An issue does not have to be reproducable in order to warrant some debugging and investigation.

Re:Take it public (1, Insightful)

Anonymous Coward | about a year ago | (#44607407)

I'm a programmer and it really depends on the severity of the issue. Without steps to reproduce, finding the cause of an issue can sometimes be like finding a needle in a haystack. So, if it's not a big deal, it's not worth the effort.

Re:Take it public (5, Insightful)

Opportunist (166417) | about a year ago | (#44607637)

The severity of a problem determines whether it pays to investigate. An odd crash once a week with no repeatable underlying condition and no data loss doesn't warrant a through investigation.

A severe security hole DOES! Almost invariably. Anything that allows an attacker to gain access in some way IS a reason for an investigation. The crucial point here is that undoing the damage is nearly impossible. With a crash, you can reenter the data and undo the damage. With a security breach, the data is out and there is NO way you can undo the damage, once data is out, it IS out.

Re:Take it public (4, Insightful)

dgatwood (11270) | about a year ago | (#44607845)

No, not almost invariably. Invariably. You always follow up on security hole bug reports. Always. If you do not do this, you are incompetent. Assuming this security researcher gave them a reasonable amount of time (the summary here doesn't say), then this is once again a demonstration of Facebook talking "secure" but implementing the opposite, hyping their bounty program while refusing to pay out.

For that matter, you should always follow up on non-security bug reports unless they're obvious garbage (e.g. porn site spam submitted to your bug reporting page by a bot). But security bugs? There's no excuse for not following up on those. Ever. EVER.

Re:Take it public (0)

IndustrialComplex (975015) | about a year ago | (#44607921)

No, not almost invariably. Invariably.

I think he was referring to the fact that you do investigate something like, "Type 'fhee' in this field, send 3 page requests, and do XYZ, and you can access the timeline of an account".

But if the bug report was "Hey, I found this really severe security flaw, you think it's patched, but I've seen everything"

One is taken a bit more seriously than the other. Without the actual bug report, I can't say either way, but it could be a serious waste of time to investigate if you don't believe the submission.

Re:Take it public (-1)

Anonymous Coward | about a year ago | (#44607905)

The severity of a problem determines whether it pays to investigate. An odd crash once a week with no repeatable underlying condition and no data loss doesn't warrant a through investigation.

Wow really??!!! Your software must be complete crap. Any crash should be subject to complete investigation. That is because its a problem you don't understand, and usually on the way to understanding it your going to find random corruption, bad error handling, possibilities of data loss, etc. Otherwise, its probably just something simple and easy to fix. Like someone failed to check a return code, or some error path is referencing something that doesn't exist. Those bugs are easy to fix and probably take less than 10 minutes by someone skilled with the product.

Worse, most crashes have exploits close by.

Frankly, this is why one needs at least one "senior" person on the team who can put their foot down about statements like this, and actually enforce it.

Re:Take it public (5, Insightful)

Anonymous Coward | about a year ago | (#44607749)

I'm a programmer too. You ALWAYS respond to issues, even if it's just, "Can't Reproduce: Not enough info in bug report."

Re:Take it public (5, Insightful)

GNious (953874) | about a year ago | (#44607821)

This is why you change the Bug Status from "New" to "Need More Information", and NOT to "Closed" or "Get Lost, Ass".

Re:Take it public (4, Insightful)

Rob the Bold (788862) | about a year ago | (#44607875)

I'm a QA analyst, and the quote: "We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue." is totally incorrect. An issue does not have to be reproducable in order to warrant some debugging and investigation.

Maybe they just don't have the technology to request additional info from the reporter. Maybe that's not part of the protocol there. If it were my job to handle bug reports and I didn't want to be hassled with work, I'd require a complete bug description, including exact description of systems used and all steps to reproduce reported in exactly the format I'm expecting. I'd also make sure my instructions and description of the report format were just a little vague, so the user would be forced to fill in the blanks, further reducing the odds that the report would be "valid". Maybe I'd require some info that most bug reporters would think irrelevant or inapplicable to most bugs -- you know, just to tempt them to skip that part. Then I could pretty much close every ticket with "can't reproduce" and screw around on facebook all day -- for quality assurance purposes, of course.

Re:Take it public (1)

Gibgezr (2025238) | about a year ago | (#44607911)

Yes, but maybe they did that, and still couldn't reproduce it
All he did was say "I can post to anyone's timeline", which is so vague as to be useless information. It gives them no hint as to what is broken, as the Timelines are probably integrated into huge swathes of the FB codebase. It truly was a needle in a haystack, and thus totally unverifiable. He needed to send the repro info.

Re:Take it public (5, Insightful)

SQLGuru (980662) | about a year ago | (#44607303)

I read the guy's own post about it. He reported what he could do and not the steps required to exploit it. The Facebook team couldn't reproduce it as a bug (since there were no repro steps) and closed it as "not a bug".

So really, the problem was one of communication. The guy has the problem a lot of my clients/users have in that they don't give enough detail to investigate the bug and Facebook didn't really follow what he was trying to say (since he just sent them links saying "look what I did"). I'm not saying he didn't legitimately find an exploit and probably deserves some bounty ($500 is nothing to a company like Facebook), but Facebook should probably have some guidelines for how to submit bugs.

Aside - what any bug report needs:
* What action were you taking?
* What result did you observe?
* What result did you expect?
* Are there specific data values that always exhibit the symptom?
* Are there specific data values that do not exhibit the symptom?
* Reproduction steps (be as detailed as possible)
* Any other useful details about the bug (error messages, screen shots, etc.)

Re:Take it public (5, Insightful)

Skapare (16644) | about a year ago | (#44607373)

If YOU could read the guy's post, then that would be the WRONG place for him to put the details about how to reproduce it. Facebook engineers should have contacted HIM, directly, by a secure means, to get those details. If Facebook engineers expect exploits to be posted in a public forum, then it is THEY who are doing this wrong.

Jordan (-1)

Anonymous Coward | about a year ago | (#44607491)

Everything is possible these days, There is no website that has a good security, every website is hackable, facebook, hotmail etc, I have hacked some accounts using hotmail account software .. I have found on this website: http://www.prince-asfi.com/2011/03/6-ways-on-how-to-hack-hotmail-account.html
Its Good for hotmail hacking

Re:Jordan (0)

Anonymous Coward | about a year ago | (#44607801)

There is no website that has a good security

Nonsense. My web site has perfect security. OK, it has zero reachability, but hey, you have to pay a price. ;-)

Re:Take it public (1)

Anonymous Coward | about a year ago | (#44607549)

The guy posted his e-mail that he sent to facebook as "proof" that he tried to go about it the correct way. I think it was on his personal blog.

Basically all he did is say "I posted to someone's timeline, this is a bug" and linked to the post he made. He didn't explain anything.

The communication was secure between him and facebook.

Re:Take it public (-1, Offtopic)

aitikin (909209) | about a year ago | (#44607747)

The guy posted his e-mail that he sent to facebook as "proof" that he tried to go about it the correct way. I think it was on his personal blog.

Basically all he did is say "I posted to someone's timeline, this is a bug" and linked to the post he made. He didn't explain anything.

The communication was secure between him and facebook.

...and the NSA...

Re:Take it public (1)

DavidD_CA (750156) | about a year ago | (#44607965)

I believe the person is referring to the hacker's own personal blog/story, not the post that the hacker made to Facebook -- which I presume is private.

Re:Take it public (3, Insightful)

Opportunist (166417) | about a year ago | (#44607659)

'scuse me, but 500 bucks is peanuts for a 0day full-access security hole in FB. Tack a few 0s to that and we'll start talking.

Re:Take it public (0)

Anonymous Coward | about a year ago | (#44607917)

your suggestion is standard procedure and would be fine and fully justified. His procedure broke the law and he's bloody lucky if he doesn't end up arrested so in this case would say it's facebook which is showing some class.

 

Yes; the law is stupid. Publishing a fully working exploit will probably do more harm than using it. That however is the way it is written. The people who can fix that are the big corporations who paid for the computer laws. If Facebook came out and guaranteed they wouldn't prosecute such cases then they would deserve this type of warning. Until they do, anyone who gives it to them is being stupid.

oh and next time maybe the guy should take more care over anonymity.

Won't pay? (4, Insightful)

schneidafunk (795759) | about a year ago | (#44607087)

Seems to me that Mark is just pissed at being embarrassed, there really is no justification for not paying him. He submitted the bug to their security team first before exploiting it in a harmless way.

Re:Won't pay? (1, Offtopic)

vswee (2040690) | about a year ago | (#44607101)

Agreed. Also, hackers are not really the people you'd want to shortchange. They're a vengeful bunch I've heard.

Re:Won't pay? (1)

Anonymous Coward | about a year ago | (#44607155)

Lumping people together loosely by profession and then giving them generalized personality traits, are we? How ignorant.

Re:Won't pay? (0)

Anonymous Coward | about a year ago | (#44607451)

LOL. You're new to the world, aren't you.

Ignorant, he may be. Truthful, he may also be.

You figure out how it can be both.

Re:Won't pay? (2)

Redmancometh (2676319) | about a year ago | (#44607465)

Okay better put: when hackers seek vengeance they have the means to wreak havoc. An a huge number of them revel in the opportunity.

Re:Won't pay? (2)

Opportunist (166417) | about a year ago | (#44607677)

Vengeful? Oh please. But next time he might sell it to someone else.

There's no shortage of parties interested in 0day exploits for FB...

Re:Won't pay? (5, Insightful)

Nerdfest (867930) | about a year ago | (#44607113)

Perhaps they should pay him extra and thank him ... he could have done much, much, worse, and from a dummy account. He quite obviously wanted to help. Being a dick to people trying to help you is not a great way to encourage others.

Re:Won't pay? (3, Insightful)

schneidafunk (795759) | about a year ago | (#44607145)

Exactly. You raise a good point, he used his personal account, which ended up getting suspended.

Re:Won't pay? (5, Insightful)

afidel (530433) | about a year ago | (#44607153)

Ding! Next time maybe he sells it on the black market instead of trying repeatedly to inform a company that obviously doesn't give a crap about security.

Re:Won't pay? (1)

CanHasDIY (1672858) | about a year ago | (#44607463)

Ding! Next time maybe he sells it on the black market instead of trying repeatedly to inform a company that obviously doesn't give a crap about security.

Exactly - fuck me once, shame on you, fuck me twice...

Re:Won't pay? (-1, Offtopic)

mrclisdue (1321513) | about a year ago | (#44607679)

Exactly - fuck me once, shame on you, fuck me twice...

B-but what if she's like, super HOT, and I really, really want a second fuck? It'll last more than 4 milliseconds next time, honest!

cheers,

Re:Won't pay? (0)

gnasher719 (869701) | about a year ago | (#44607217)

Perhaps they should pay him extra and thank him ... he could have done much, much, worse, and from a dummy account. He quite obviously wanted to help. Being a dick to people trying to help you is not a great way to encourage others.

Hacking into someone's account is a criminal offence. So you are saying they should pay him and think him, because he committed a worse offence than he did?

Re:Won't pay? (4, Insightful)

Nemesisghost (1720424) | about a year ago | (#44607323)

So you are saying they should pay him and thank him, because he committed a worse offence than he did?

Yes. He tried to use their own method for reporting such problems. If he had just hacked it outright before telling them, then that'd be a different story. But when a company fails to use the information provided to them from their own communication channels, especially when it seems that they did so to screw someone out of a reward, then they deserve what they go & should still pay up.

Re:Won't pay? (1)

Anonymous Coward | about a year ago | (#44607333)

Hacking into someone's account is a criminal offence.

In that case, as Facebook are offing a bounty on security flaws, they are encouraging people to break the law.

Re:Won't pay? (3, Interesting)

Chris Mattern (191822) | about a year ago | (#44607397)

No they aren't, because *finding* a security flaw is not the same thing as illegally *exploiting* a security flaw. If you need a proof of concept, you can hack your own account.

Re:Won't pay? (1)

CanHasDIY (1672858) | about a year ago | (#44607503)

No they aren't, because *finding* a security flaw is not the same thing as illegally *exploiting* a security flaw. If you need a proof of concept, you can hack your own account.

Which is still illegal (because even though it's "your account," you still have to run the exploit on someone else's network), and still a violation of the ToS.

Not illegal (1)

schneidafunk (795759) | about a year ago | (#44607639)

I think you are mistaking illegal versus violating terms of service. He did nothing illegal.

Re:Not illegal (1)

CanHasDIY (1672858) | about a year ago | (#44607751)

If that were the case, I likely wouldn't have listed both.

Pretty sure compromising a remote system that does not belong to you without permission is a violation of the Computer Fraud and Abuse Act.

Re:Not illegal (1)

IcarusMoth (631872) | about a year ago | (#44607817)

So, American laws now apply to foreign nationals who are not in America? That's awesome! U-S-A! U-S-A! Unless of course he's a foreign national outside the legal borders of America and therefore not subject to American laws. ...one of the two...

Re:Not illegal (1, Insightful)

CanHasDIY (1672858) | about a year ago | (#44607933)

So, American laws now apply to foreign nationals who are not in America?

A) Have you been sleeping the past decade or so? If the non-American government acquiesces to the US Government demands, then yes, apparently they do. Not that I agree with the practice.

B) The dude in question is a Palestinian. Really, if you know anything about US/Isreali/Palestinian relations, that should be all I have to say.

The childishness in the center of your statements was completely without necessity.

Re:Won't pay? (4, Insightful)

ArhcAngel (247594) | about a year ago | (#44607483)

Hacking into someone's account is a criminal offence.

It was not hacking since Facebook said themselves it was not a bug. Therefore it must be a feature and taking advantage of a feature is not hacking. Now if someone were to take advantage of that feature on my account I would sue Facebook for providing said feature and point to their own forum as evidence.

Re:Won't pay? (1)

Mike (1172) | about a year ago | (#44607615)

Hacking into someone's account is a criminal offence.

Well, therein lies [a] problem. Any such law is completely bogus in the first place.

Re:Won't pay? (1)

LordLimecat (1103839) | about a year ago | (#44607737)

We're saying that not paying him has made it so that hackers will simply not bother next time, and will instead sell the exploit on the black market.

Re:Won't pay? (5, Insightful)

IronOxen (2502562) | about a year ago | (#44607255)

Actually, he also exposed a bug in the bug reporting system that prevents it from responding to and or acknowledging the exact type of vulnerabilities it was designed to find. It was obviously repeatable since the vulnerability was reported twice and was ignored both times. He should be paid for that one as well.

Re:Won't pay? (0)

Anonymous Coward | about a year ago | (#44607433)

Does having the CIA get them arrested by Pakistani authorities for wire tapping count as "extra pay"? Just curious, because you know that will happen next.

Re:Won't pay? (2)

Nidi62 (1525137) | about a year ago | (#44607663)

How is a Palestinian going to get arrested by Pakistani authorities?

Re:Won't pay? (0)

Anonymous Coward | about a year ago | (#44607273)

And they should pay him more than $500 for being assholes.

Re:Won't pay? (1)

poetmatt (793785) | about a year ago | (#44607313)

this is facebook. they're not in the business of security or privacy. what do you expect?

Re:Won't pay? (2)

Opportunist (166417) | about a year ago | (#44607725)

*gasp*

That they are interested in protecting their assets! Imagine someone could come and siphon away all the info without paying them!

Facebook is scum, break it. (-1)

Anonymous Coward | about a year ago | (#44607089)

Break it bad.

I'm Amazed... (2, Funny)

DexterIsADog (2954149) | about a year ago | (#44607107)

...people are still using Facebook?

Re:I'm Amazed... (1)

Anonymous Coward | about a year ago | (#44607169)

Hurr durr. It's easy to be amazed by that if you don't speak to anyone outside of your geek echo chamber.

Re:I'm Amazed... (1)

Anonymous Coward | about a year ago | (#44607259)

The younger generation is moving away from it...primarily because of parents being on there. Twitter and all other manner of anonymous rapid publishing make Facebook seem unused by comparison.

Re:I'm Amazed... (1)

Opportunist (166417) | about a year ago | (#44607741)

Yup. Not only that, but you can see how the "geek" community (and those that want to be seen as such) are moving away for its "commercial" reek. Since every company and their dog need to muscle in, FB is about as hip as disco.

Irony is hard (0)

Anonymous Coward | about a year ago | (#44607493)

sarcasm is harder. wow people are touchy

Re:I'm Amazed... (0)

Anonymous Coward | about a year ago | (#44607221)

Area Man Constantly Telling Everyone He Doesn't Use Facebook

Re:I'm Amazed... (0)

Anonymous Coward | about a year ago | (#44607247)

Yeah, it's pretty active website. You should check it out sometime!

refuse to pay? (1)

Anonymous Coward | about a year ago | (#44607109)

I would think that $500 is pretty cheap.. Why piss off everybody who might help you?

Re:refuse to pay? (1)

idontgno (624372) | about a year ago | (#44607581)

Why piss off everybody who might help you?

Why not crush everybody who might embarrass you?

Or, as another sharp analyst put it: [constitution.org]

Upon this a question arises: whether it be better to be loved than feared or feared than loved? It may be answered that one should wish to be both, but, because it is difficult to unite them in one person, is much safer to be feared than loved, when, of the two, either must be dispensed with.

In context, that means that if you can make people afraid of trying to hack you, you don't need their respect (or actual competence on your part) to avoid being hacked. Once you've fully domesticated the sheep, you can expect that they won't test their fences any more.

Of course, this strategy is pre-ordained to fail: the psychology of black-hat is full of a kind of irrational sense of invincibility. Like many other sociopaths, they're always the ones most surprised when they're busted. So the lessons of fear are lost on them. But it certainly seems cheaper to the service provider than actually hardening and resolving exploitable holes.

Re:refuse to pay? (1)

Opportunist (166417) | about a year ago | (#44607757)

Why not crush everybody who might embarrass you?

Because of groups like Anonymous. They get a kick out of embarrassing people who get really upset about it.

What next? (0)

Anonymous Coward | about a year ago | (#44607117)

So is he going to respond by firing some rockets at them?

Re:What next? (3, Funny)

Rob the Bold (788862) | about a year ago | (#44607197)

So is he going to respond by firing some rockets at them?

WTF? Zuck's got a private army now? Maybe he got some Predators as a thank-you gift from the NSA.

Re: What next? (0)

Anonymous Coward | about a year ago | (#44607291)

Yes, Preditors are often overlooked. Just cover yourself with mud and smash them with a log and you'll be fine. Or stay out of the jungles which is their primary habitat.

Re: What next? (2, Funny)

CanHasDIY (1672858) | about a year ago | (#44607521)

Yes, Preditors are often overlooked. Just cover yourself with mud and smash them with a log and you'll be fine. Or stay out of the jungles which is their primary habitat.

Tell that to Danny Glover.

That's a catch 22 (4, Insightful)

i kan reed (749298) | about a year ago | (#44607119)

Post what you know to their white-hate system: not reproducible with that information. No money.
Reproduce it yourself: violating TOS. No money.

Re:That's a catch 22 (5, Insightful)

Nerdfest (867930) | about a year ago | (#44607177)

Sell it on the open market, plenty of money.

Re:That's a catch 22 (0)

Anonymous Coward | about a year ago | (#44607233)

I don't know that I'd go so far as to say their system is racist against white people...

Re:That's a catch 22 (0)

NatasRevol (731260) | about a year ago | (#44607517)

It's much more likely that you have to put in a description of things whites hate. Like baseball. And snow.

Devil's Advocate (0)

Anonymous Coward | about a year ago | (#44607193)

The messages he sent to facebook's bug reporting system read a lot like spam. The first two started with: "my name is khalil shreateh.
i finished school with B.A degree in Infromation Systems . "

Can't really blame them for not taking it too seriously to begin with. As for not paying him, aren't these bug bounty systems meant to foster responsible disclosure? I'm pretty sure leveraging an attack you found does not count as such.

Re:Devil's Advocate (3, Insightful)

bill_mcgonigle (4333) | about a year ago | (#44607309)

As for not paying him, aren't these bug bounty systems meant to foster responsible disclosure? I'm pretty sure leveraging an attack you found does not count as such.

It's not 'leveraging an attack' when it's demonstrating the veracity of the claim, to a higher-up employee's wall because the lower level employee ignored you. If there's a problem with his behavior it's that he first posted on the wall of a friend of Zuck, who is not an employee and outside the bug reporting transaction. That was stupid, but a post to Facebook Security's page seems like fair game to demonstrate a problem.

That said, his bug report was complete shit and barely distinguishable from spam. How can he have an IS degree if he can't even write a decent bug report?

$500 is a lot of money (1, Funny)

LifesABeach (234436) | about a year ago | (#44607201)

After Facebook's stock plummet, Mark is pretty hard up for cash; maybe Kahlil Shreateh could cut junior some slack? Lets "face it", super hero underware for staff members is not cheap?

Re:$500 is a lot of money (2)

phantomfive (622387) | about a year ago | (#44607249)

Have you looked at Facebook's stock recently? It's getting close to the IPO price.

Re:$500 is a lot of money (1)

rwyoder (759998) | about a year ago | (#44607379)

Have you looked at Facebook's stock recently? It's getting close to the IPO price.

It actually closed a little *over* the IPO price on several days last week.

Re:$500 is a lot of money (2)

camperdave (969942) | about a year ago | (#44607253)

Underware? Is that some sort of page 0 TSR, or BIOS xploit, or something?

Guilty of being Palestinian (1, Interesting)

Anonymous Coward | about a year ago | (#44607225)

How much you want to bet it's because they don't want to be seen giving money to someone in Palestine?

Re:Guilty of being Palestinian (4, Insightful)

Chris Mattern (191822) | about a year ago | (#44607415)

$0. They didn't give him money becuase a) it was a shit bug report and b) corporations are innately averse to giving out money to *anybody*, even if there's a policy saying they have to. Palestine has nothing to do with it.

Not worth it (5, Interesting)

phantomfive (622387) | about a year ago | (#44607229)

Facebook has a policy that it will pay a minimum $500 bounty for any security flaws that a hacker finds.

That's absolutely not worth the money. He's better off taking the publicity he got from this and turning it into a high-paying job.

Are all security hacks a TOS violation? (1)

Anonymous Coward | about a year ago | (#44607235)

Because we all know that any security exploit that breaks the TOS would never be used by a Black Hat.

You still have an account there? (-1)

Anonymous Coward | about a year ago | (#44607277)

Enough said.

The true reason? (0)

Anonymous Coward | about a year ago | (#44607325)

Could the true reason be that palestine is being embargoed by the U.S. and Facebook can't send the guy money even if they wanted to?

A great way to alienate the white-hat community. (5, Insightful)

fuzzytv (2108482) | about a year ago | (#44607371)

Good work, Facebook! Kinda resembles what happened at GitHub ~18 months ago: http://www.zdnet.com/blog/security/how-github-handled-getting-hacked/10473 [zdnet.com]

If someone from Facebook reads this, and it's TL;DR; here are the next steps:

#1 apologize to the guy, acknowledge he reported the issue twice
#2 reinstate the account and pay him his reward
#3 fix the damn issue

Re:A great way to alienate the white-hat community (2)

Skapare (16644) | about a year ago | (#44607421)

#4 fire whoever is responsible for him being ignored.

Re:A great way to alienate the white-hat community (0)

awpoopy (1054584) | about a year ago | (#44607509)

#5 Hire him and put him in charge of the department that ignored him. Give him the backing to fire where needed.

500 USD? (1, Insightful)

ebonum (830686) | about a year ago | (#44607399)

What a joke. Face book should fire the guy costing 150,000 USD a year ( take home pay and all in cost to FB are not the same ) who wrote the offending code.

500 USD for a bug is an insult. How much do their QC people make a month? They failed, and they are getting a lot more than 500 USD.

Re:500 USD? (0)

Anonymous Coward | about a year ago | (#44607471)

Face book should fire the guy ... who wrote the offending code.

When it's original Zuckercode, they might not be willing to take that step.

Re:500 USD? (3, Insightful)

Impy the Impiuos Imp (442658) | about a year ago | (#44607759)

$5000 would be a better starting bounty. What are they expecting, 100,000 bugs?

Re:500 USD? (0)

Anonymous Coward | about a year ago | (#44607861)

The problem with bug bounties also has to do with how you count them and not all bugs being created equal. You could get a ton of minor GUI glitches worth like five dollars each or one big one of "Hey, if you enter this in the login field you can output all of the personal data and then enter this to destroy their database."

Minions!!! (0)

Anonymous Coward | about a year ago | (#44607401)

Looks like Facebook is rapidly declining into the corporate morass. WAKE UP Facebook!!

Re:Minions!!! (2)

Opportunist (166417) | about a year ago | (#44607837)

To get to the corporate morass, they certainly wouldn't have to decline...

Jordan (-1)

Anonymous Coward | about a year ago | (#44607461)

Thats nice, But Everything is Possible, Its Easy to Hack Facebook accounts these days.. same for hotmail

I have tried using this website, its good for hacking http://www.prince-asfi.com

Cheapskates (4, Funny)

Anonymous Coward | about a year ago | (#44607479)

Refusing to pay because it violates terms of service? Wait wait, I'm now convinced all my online details are safe. Afterall the terms of service protects me from dishonest hackers, right?

This is so bad (0)

Anonymous Coward | about a year ago | (#44607525)

I mean, you ask people to send bugs to you, you even offer to pays.. and now for obscure reason you don't? And after that you want me to "trust" you?
Hacker are not people who follow "rules" and/or TOS. That's why they find bugs!

BRIGHT EYES (0)

Anonymous Coward | about a year ago | (#44607585)

you know who you are

Trying to save face... (1)

oh_my_080980980 (773867) | about a year ago | (#44607625)

You were warned repeatedly and ignored it. FU.

Easy to remedy... (0)

Anonymous Coward | about a year ago | (#44607627)

Fire the idiot(s) who denied the bug existed and hire Kahlil to replace them. Simple.

He should sit on it for a week, then repeat. (0)

Anonymous Coward | about a year ago | (#44607731)

He should sit on it, and let them stew over it waiting for the head cheese to come down on them for not fixing it.

Then repeat his feat again next week to remind the head cheese to take action.

Google has a much better bounty program... (3, Informative)

slashkitty (21637) | about a year ago | (#44607867)

They pay $7,500 for an XSS bug, more for more serious bugs. Facebook better think about their program before a more serious bug is made public or exploited privately.

Small claims court (0)

Anonymous Coward | about a year ago | (#44607943)

Or Judge Judy. AFIK no lawyers allowed.

stupid me (1)

Anonymous Coward | about a year ago | (#44607945)

Well what did he expect
When a Palestinian goes and invades the home (page) of someone called Zuckerberg.
Is despicable and horrible and would never happen in the real world.....oh hang on a minute

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?