×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Researcher Makes His Point By Hacking Into Zuckerberg's Facebook Page

samzenpus posted about 8 months ago | from the do-you-see-it-now? dept.

Facebook 266

Eugriped3z writes "Whitehat Palestinian hacker Kahlil Shreateh submitted a bug report to Facebook's Whitehat bug reporting page not once, but twice. After it was ignored the first time and denied outright on the second occasion (which included links to an example as proof), he hacked Mark Zuckerberg's personal timeline, leaving both an explanation and an apology. From the article: 'In less than a minute, Shreateh's Facebook account was suspended and he was contacted by a Facebook security engineer requesting all the details of the exploit. 'Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it,' the engineer wrote in an email. 'We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue.' Facebook has a policy that it will pay a minimum $500 bounty for any security flaws that a hacker finds. However, the company has refused to pay Shreateh for discovering the vulnerability because his actions violated Facebook's Terms of Service.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

266 comments

Take it public (5, Insightful)

scubamage (727538) | about 8 months ago | (#44607069)

Screw them, the onus is on them to take action when someone reports a bug. If you don't have enough information when there is a security problem, maybe, JUST MAYBE, you should follow up with the submitter. If I was the submitter I'd just publish the exploit and be done with it.

Re:Take it public (4, Insightful)

gl4ss (559668) | about 8 months ago | (#44607111)

They don't follow up on anything, I checked.

It might be because they're so swamped or maybe it's that if they feel like it's not their bug then they don't do anything. Either way not very responsive.

Re:Take it public (5, Insightful)

Anonymous Coward | about 8 months ago | (#44607305)

I'm a QA analyst, and the quote: "We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue." is totally incorrect. An issue does not have to be reproducable in order to warrant some debugging and investigation.

Re:Take it public (1, Insightful)

Anonymous Coward | about 8 months ago | (#44607407)

I'm a programmer and it really depends on the severity of the issue. Without steps to reproduce, finding the cause of an issue can sometimes be like finding a needle in a haystack. So, if it's not a big deal, it's not worth the effort.

Re:Take it public (5, Insightful)

Opportunist (166417) | about 8 months ago | (#44607637)

The severity of a problem determines whether it pays to investigate. An odd crash once a week with no repeatable underlying condition and no data loss doesn't warrant a through investigation.

A severe security hole DOES! Almost invariably. Anything that allows an attacker to gain access in some way IS a reason for an investigation. The crucial point here is that undoing the damage is nearly impossible. With a crash, you can reenter the data and undo the damage. With a security breach, the data is out and there is NO way you can undo the damage, once data is out, it IS out.

Re:Take it public (4, Insightful)

dgatwood (11270) | about 8 months ago | (#44607845)

No, not almost invariably. Invariably. You always follow up on security hole bug reports. Always. If you do not do this, you are incompetent. Assuming this security researcher gave them a reasonable amount of time (the summary here doesn't say), then this is once again a demonstration of Facebook talking "secure" but implementing the opposite, hyping their bounty program while refusing to pay out.

For that matter, you should always follow up on non-security bug reports unless they're obvious garbage (e.g. porn site spam submitted to your bug reporting page by a bot). But security bugs? There's no excuse for not following up on those. Ever. EVER.

Re:Take it public (0)

IndustrialComplex (975015) | about 8 months ago | (#44607921)

No, not almost invariably. Invariably.

I think he was referring to the fact that you do investigate something like, "Type 'fhee' in this field, send 3 page requests, and do XYZ, and you can access the timeline of an account".

But if the bug report was "Hey, I found this really severe security flaw, you think it's patched, but I've seen everything"

One is taken a bit more seriously than the other. Without the actual bug report, I can't say either way, but it could be a serious waste of time to investigate if you don't believe the submission.

Re:Take it public (-1)

Anonymous Coward | about 8 months ago | (#44607905)

The severity of a problem determines whether it pays to investigate. An odd crash once a week with no repeatable underlying condition and no data loss doesn't warrant a through investigation.

Wow really??!!! Your software must be complete crap. Any crash should be subject to complete investigation. That is because its a problem you don't understand, and usually on the way to understanding it your going to find random corruption, bad error handling, possibilities of data loss, etc. Otherwise, its probably just something simple and easy to fix. Like someone failed to check a return code, or some error path is referencing something that doesn't exist. Those bugs are easy to fix and probably take less than 10 minutes by someone skilled with the product.

Worse, most crashes have exploits close by.

Frankly, this is why one needs at least one "senior" person on the team who can put their foot down about statements like this, and actually enforce it.

Re:Take it public (5, Insightful)

Anonymous Coward | about 8 months ago | (#44607749)

I'm a programmer too. You ALWAYS respond to issues, even if it's just, "Can't Reproduce: Not enough info in bug report."

Re:Take it public (5, Insightful)

GNious (953874) | about 8 months ago | (#44607821)

This is why you change the Bug Status from "New" to "Need More Information", and NOT to "Closed" or "Get Lost, Ass".

Re:Take it public (4, Insightful)

Rob the Bold (788862) | about 8 months ago | (#44607875)

I'm a QA analyst, and the quote: "We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue." is totally incorrect. An issue does not have to be reproducable in order to warrant some debugging and investigation.

Maybe they just don't have the technology to request additional info from the reporter. Maybe that's not part of the protocol there. If it were my job to handle bug reports and I didn't want to be hassled with work, I'd require a complete bug description, including exact description of systems used and all steps to reproduce reported in exactly the format I'm expecting. I'd also make sure my instructions and description of the report format were just a little vague, so the user would be forced to fill in the blanks, further reducing the odds that the report would be "valid". Maybe I'd require some info that most bug reporters would think irrelevant or inapplicable to most bugs -- you know, just to tempt them to skip that part. Then I could pretty much close every ticket with "can't reproduce" and screw around on facebook all day -- for quality assurance purposes, of course.

Re:Take it public (1)

Gibgezr (2025238) | about 8 months ago | (#44607911)

Yes, but maybe they did that, and still couldn't reproduce it
All he did was say "I can post to anyone's timeline", which is so vague as to be useless information. It gives them no hint as to what is broken, as the Timelines are probably integrated into huge swathes of the FB codebase. It truly was a needle in a haystack, and thus totally unverifiable. He needed to send the repro info.

Re:Take it public (5, Insightful)

SQLGuru (980662) | about 8 months ago | (#44607303)

I read the guy's own post about it. He reported what he could do and not the steps required to exploit it. The Facebook team couldn't reproduce it as a bug (since there were no repro steps) and closed it as "not a bug".

So really, the problem was one of communication. The guy has the problem a lot of my clients/users have in that they don't give enough detail to investigate the bug and Facebook didn't really follow what he was trying to say (since he just sent them links saying "look what I did"). I'm not saying he didn't legitimately find an exploit and probably deserves some bounty ($500 is nothing to a company like Facebook), but Facebook should probably have some guidelines for how to submit bugs.

Aside - what any bug report needs:
* What action were you taking?
* What result did you observe?
* What result did you expect?
* Are there specific data values that always exhibit the symptom?
* Are there specific data values that do not exhibit the symptom?
* Reproduction steps (be as detailed as possible)
* Any other useful details about the bug (error messages, screen shots, etc.)

Re:Take it public (5, Insightful)

Skapare (16644) | about 8 months ago | (#44607373)

If YOU could read the guy's post, then that would be the WRONG place for him to put the details about how to reproduce it. Facebook engineers should have contacted HIM, directly, by a secure means, to get those details. If Facebook engineers expect exploits to be posted in a public forum, then it is THEY who are doing this wrong.

Jordan (-1)

Anonymous Coward | about 8 months ago | (#44607491)

Everything is possible these days, There is no website that has a good security, every website is hackable, facebook, hotmail etc, I have hacked some accounts using hotmail account software .. I have found on this website: http://www.prince-asfi.com/2011/03/6-ways-on-how-to-hack-hotmail-account.html
Its Good for hotmail hacking

Re:Jordan (0)

Anonymous Coward | about 8 months ago | (#44607801)

There is no website that has a good security

Nonsense. My web site has perfect security. OK, it has zero reachability, but hey, you have to pay a price. ;-)

Re:Take it public (1)

Anonymous Coward | about 8 months ago | (#44607549)

The guy posted his e-mail that he sent to facebook as "proof" that he tried to go about it the correct way. I think it was on his personal blog.

Basically all he did is say "I posted to someone's timeline, this is a bug" and linked to the post he made. He didn't explain anything.

The communication was secure between him and facebook.

Re:Take it public (-1, Offtopic)

aitikin (909209) | about 8 months ago | (#44607747)

The guy posted his e-mail that he sent to facebook as "proof" that he tried to go about it the correct way. I think it was on his personal blog.

Basically all he did is say "I posted to someone's timeline, this is a bug" and linked to the post he made. He didn't explain anything.

The communication was secure between him and facebook.

...and the NSA...

Re:Take it public (1)

DavidD_CA (750156) | about 8 months ago | (#44607965)

I believe the person is referring to the hacker's own personal blog/story, not the post that the hacker made to Facebook -- which I presume is private.

Re:Take it public (3, Insightful)

Opportunist (166417) | about 8 months ago | (#44607659)

'scuse me, but 500 bucks is peanuts for a 0day full-access security hole in FB. Tack a few 0s to that and we'll start talking.

Re:Take it public (0)

Anonymous Coward | about 8 months ago | (#44607917)

your suggestion is standard procedure and would be fine and fully justified. His procedure broke the law and he's bloody lucky if he doesn't end up arrested so in this case would say it's facebook which is showing some class.

 

Yes; the law is stupid. Publishing a fully working exploit will probably do more harm than using it. That however is the way it is written. The people who can fix that are the big corporations who paid for the computer laws. If Facebook came out and guaranteed they wouldn't prosecute such cases then they would deserve this type of warning. Until they do, anyone who gives it to them is being stupid.

oh and next time maybe the guy should take more care over anonymity.

Won't pay? (4, Insightful)

schneidafunk (795759) | about 8 months ago | (#44607087)

Seems to me that Mark is just pissed at being embarrassed, there really is no justification for not paying him. He submitted the bug to their security team first before exploiting it in a harmless way.

Re:Won't pay? (1, Offtopic)

vswee (2040690) | about 8 months ago | (#44607101)

Agreed. Also, hackers are not really the people you'd want to shortchange. They're a vengeful bunch I've heard.

Re:Won't pay? (1)

Anonymous Coward | about 8 months ago | (#44607155)

Lumping people together loosely by profession and then giving them generalized personality traits, are we? How ignorant.

Re:Won't pay? (0)

Anonymous Coward | about 8 months ago | (#44607451)

LOL. You're new to the world, aren't you.

Ignorant, he may be. Truthful, he may also be.

You figure out how it can be both.

Re:Won't pay? (2)

Redmancometh (2676319) | about 8 months ago | (#44607465)

Okay better put: when hackers seek vengeance they have the means to wreak havoc. An a huge number of them revel in the opportunity.

Re:Won't pay? (2)

Opportunist (166417) | about 8 months ago | (#44607677)

Vengeful? Oh please. But next time he might sell it to someone else.

There's no shortage of parties interested in 0day exploits for FB...

Re:Won't pay? (5, Insightful)

Nerdfest (867930) | about 8 months ago | (#44607113)

Perhaps they should pay him extra and thank him ... he could have done much, much, worse, and from a dummy account. He quite obviously wanted to help. Being a dick to people trying to help you is not a great way to encourage others.

Re:Won't pay? (5, Insightful)

afidel (530433) | about 8 months ago | (#44607153)

Ding! Next time maybe he sells it on the black market instead of trying repeatedly to inform a company that obviously doesn't give a crap about security.

Re:Won't pay? (1)

CanHasDIY (1672858) | about 8 months ago | (#44607463)

Ding! Next time maybe he sells it on the black market instead of trying repeatedly to inform a company that obviously doesn't give a crap about security.

Exactly - fuck me once, shame on you, fuck me twice...

Re:Won't pay? (-1, Offtopic)

mrclisdue (1321513) | about 8 months ago | (#44607679)

Exactly - fuck me once, shame on you, fuck me twice...

B-but what if she's like, super HOT, and I really, really want a second fuck? It'll last more than 4 milliseconds next time, honest!

cheers,

Re:Won't pay? (0)

gnasher719 (869701) | about 8 months ago | (#44607217)

Perhaps they should pay him extra and thank him ... he could have done much, much, worse, and from a dummy account. He quite obviously wanted to help. Being a dick to people trying to help you is not a great way to encourage others.

Hacking into someone's account is a criminal offence. So you are saying they should pay him and think him, because he committed a worse offence than he did?

Re:Won't pay? (4, Insightful)

Nemesisghost (1720424) | about 8 months ago | (#44607323)

So you are saying they should pay him and thank him, because he committed a worse offence than he did?

Yes. He tried to use their own method for reporting such problems. If he had just hacked it outright before telling them, then that'd be a different story. But when a company fails to use the information provided to them from their own communication channels, especially when it seems that they did so to screw someone out of a reward, then they deserve what they go & should still pay up.

Re:Won't pay? (1)

Anonymous Coward | about 8 months ago | (#44607333)

Hacking into someone's account is a criminal offence.

In that case, as Facebook are offing a bounty on security flaws, they are encouraging people to break the law.

Re:Won't pay? (3, Interesting)

Chris Mattern (191822) | about 8 months ago | (#44607397)

No they aren't, because *finding* a security flaw is not the same thing as illegally *exploiting* a security flaw. If you need a proof of concept, you can hack your own account.

Re:Won't pay? (1)

CanHasDIY (1672858) | about 8 months ago | (#44607503)

No they aren't, because *finding* a security flaw is not the same thing as illegally *exploiting* a security flaw. If you need a proof of concept, you can hack your own account.

Which is still illegal (because even though it's "your account," you still have to run the exploit on someone else's network), and still a violation of the ToS.

Not illegal (1)

schneidafunk (795759) | about 8 months ago | (#44607639)

I think you are mistaking illegal versus violating terms of service. He did nothing illegal.

Re:Not illegal (1)

CanHasDIY (1672858) | about 8 months ago | (#44607751)

If that were the case, I likely wouldn't have listed both.

Pretty sure compromising a remote system that does not belong to you without permission is a violation of the Computer Fraud and Abuse Act.

Re:Not illegal (1)

IcarusMoth (631872) | about 8 months ago | (#44607817)

So, American laws now apply to foreign nationals who are not in America? That's awesome! U-S-A! U-S-A! Unless of course he's a foreign national outside the legal borders of America and therefore not subject to American laws. ...one of the two...

Re:Not illegal (1, Insightful)

CanHasDIY (1672858) | about 8 months ago | (#44607933)

So, American laws now apply to foreign nationals who are not in America?

A) Have you been sleeping the past decade or so? If the non-American government acquiesces to the US Government demands, then yes, apparently they do. Not that I agree with the practice.

B) The dude in question is a Palestinian. Really, if you know anything about US/Isreali/Palestinian relations, that should be all I have to say.

The childishness in the center of your statements was completely without necessity.

Re:Won't pay? (4, Insightful)

ArhcAngel (247594) | about 8 months ago | (#44607483)

Hacking into someone's account is a criminal offence.

It was not hacking since Facebook said themselves it was not a bug. Therefore it must be a feature and taking advantage of a feature is not hacking. Now if someone were to take advantage of that feature on my account I would sue Facebook for providing said feature and point to their own forum as evidence.

Re:Won't pay? (1)

Mike (1172) | about 8 months ago | (#44607615)

Hacking into someone's account is a criminal offence.

Well, therein lies [a] problem. Any such law is completely bogus in the first place.

Re:Won't pay? (1)

LordLimecat (1103839) | about 8 months ago | (#44607737)

We're saying that not paying him has made it so that hackers will simply not bother next time, and will instead sell the exploit on the black market.

Re:Won't pay? (5, Insightful)

IronOxen (2502562) | about 8 months ago | (#44607255)

Actually, he also exposed a bug in the bug reporting system that prevents it from responding to and or acknowledging the exact type of vulnerabilities it was designed to find. It was obviously repeatable since the vulnerability was reported twice and was ignored both times. He should be paid for that one as well.

Re:Won't pay? (0)

Anonymous Coward | about 8 months ago | (#44607433)

Does having the CIA get them arrested by Pakistani authorities for wire tapping count as "extra pay"? Just curious, because you know that will happen next.

Re:Won't pay? (0)

Anonymous Coward | about 8 months ago | (#44607273)

And they should pay him more than $500 for being assholes.

Re:Won't pay? (1)

poetmatt (793785) | about 8 months ago | (#44607313)

this is facebook. they're not in the business of security or privacy. what do you expect?

Re:Won't pay? (2)

Opportunist (166417) | about 8 months ago | (#44607725)

*gasp*

That they are interested in protecting their assets! Imagine someone could come and siphon away all the info without paying them!

Facebook is scum, break it. (-1)

Anonymous Coward | about 8 months ago | (#44607089)

Break it bad.

I'm Amazed... (2, Funny)

DexterIsADog (2954149) | about 8 months ago | (#44607107)

...people are still using Facebook?

Re:I'm Amazed... (1)

Anonymous Coward | about 8 months ago | (#44607169)

Hurr durr. It's easy to be amazed by that if you don't speak to anyone outside of your geek echo chamber.

Re:I'm Amazed... (1)

Anonymous Coward | about 8 months ago | (#44607259)

The younger generation is moving away from it...primarily because of parents being on there. Twitter and all other manner of anonymous rapid publishing make Facebook seem unused by comparison.

Re:I'm Amazed... (1)

Opportunist (166417) | about 8 months ago | (#44607741)

Yup. Not only that, but you can see how the "geek" community (and those that want to be seen as such) are moving away for its "commercial" reek. Since every company and their dog need to muscle in, FB is about as hip as disco.

Irony is hard (0)

Anonymous Coward | about 8 months ago | (#44607493)

sarcasm is harder. wow people are touchy

Re:I'm Amazed... (0)

Anonymous Coward | about 8 months ago | (#44607221)

Area Man Constantly Telling Everyone He Doesn't Use Facebook

Re:I'm Amazed... (0)

Anonymous Coward | about 8 months ago | (#44607247)

Yeah, it's pretty active website. You should check it out sometime!

refuse to pay? (1)

Anonymous Coward | about 8 months ago | (#44607109)

I would think that $500 is pretty cheap.. Why piss off everybody who might help you?

Re:refuse to pay? (1)

idontgno (624372) | about 8 months ago | (#44607581)

Why piss off everybody who might help you?

Why not crush everybody who might embarrass you?

Or, as another sharp analyst put it: [constitution.org]

Upon this a question arises: whether it be better to be loved than feared or feared than loved? It may be answered that one should wish to be both, but, because it is difficult to unite them in one person, is much safer to be feared than loved, when, of the two, either must be dispensed with.

In context, that means that if you can make people afraid of trying to hack you, you don't need their respect (or actual competence on your part) to avoid being hacked. Once you've fully domesticated the sheep, you can expect that they won't test their fences any more.

Of course, this strategy is pre-ordained to fail: the psychology of black-hat is full of a kind of irrational sense of invincibility. Like many other sociopaths, they're always the ones most surprised when they're busted. So the lessons of fear are lost on them. But it certainly seems cheaper to the service provider than actually hardening and resolving exploitable holes.

Re:refuse to pay? (1)

Opportunist (166417) | about 8 months ago | (#44607757)

Why not crush everybody who might embarrass you?

Because of groups like Anonymous. They get a kick out of embarrassing people who get really upset about it.

What next? (0)

Anonymous Coward | about 8 months ago | (#44607117)

So is he going to respond by firing some rockets at them?

Re:What next? (3, Funny)

Rob the Bold (788862) | about 8 months ago | (#44607197)

So is he going to respond by firing some rockets at them?

WTF? Zuck's got a private army now? Maybe he got some Predators as a thank-you gift from the NSA.

Re: What next? (0)

Anonymous Coward | about 8 months ago | (#44607291)

Yes, Preditors are often overlooked. Just cover yourself with mud and smash them with a log and you'll be fine. Or stay out of the jungles which is their primary habitat.

Re: What next? (2, Funny)

CanHasDIY (1672858) | about 8 months ago | (#44607521)

Yes, Preditors are often overlooked. Just cover yourself with mud and smash them with a log and you'll be fine. Or stay out of the jungles which is their primary habitat.

Tell that to Danny Glover.

That's a catch 22 (4, Insightful)

i kan reed (749298) | about 8 months ago | (#44607119)

Post what you know to their white-hate system: not reproducible with that information. No money.
Reproduce it yourself: violating TOS. No money.

Re:That's a catch 22 (0)

Anonymous Coward | about 8 months ago | (#44607233)

I don't know that I'd go so far as to say their system is racist against white people...

Re:That's a catch 22 (0)

NatasRevol (731260) | about 8 months ago | (#44607517)

It's much more likely that you have to put in a description of things whites hate. Like baseball. And snow.

Devil's Advocate (0)

Anonymous Coward | about 8 months ago | (#44607193)

The messages he sent to facebook's bug reporting system read a lot like spam. The first two started with: "my name is khalil shreateh.
i finished school with B.A degree in Infromation Systems . "

Can't really blame them for not taking it too seriously to begin with. As for not paying him, aren't these bug bounty systems meant to foster responsible disclosure? I'm pretty sure leveraging an attack you found does not count as such.

Re:Devil's Advocate (3, Insightful)

bill_mcgonigle (4333) | about 8 months ago | (#44607309)

As for not paying him, aren't these bug bounty systems meant to foster responsible disclosure? I'm pretty sure leveraging an attack you found does not count as such.

It's not 'leveraging an attack' when it's demonstrating the veracity of the claim, to a higher-up employee's wall because the lower level employee ignored you. If there's a problem with his behavior it's that he first posted on the wall of a friend of Zuck, who is not an employee and outside the bug reporting transaction. That was stupid, but a post to Facebook Security's page seems like fair game to demonstrate a problem.

That said, his bug report was complete shit and barely distinguishable from spam. How can he have an IS degree if he can't even write a decent bug report?

$500 is a lot of money (1, Funny)

LifesABeach (234436) | about 8 months ago | (#44607201)

After Facebook's stock plummet, Mark is pretty hard up for cash; maybe Kahlil Shreateh could cut junior some slack? Lets "face it", super hero underware for staff members is not cheap?

Re:$500 is a lot of money (2)

phantomfive (622387) | about 8 months ago | (#44607249)

Have you looked at Facebook's stock recently? It's getting close to the IPO price.

Re:$500 is a lot of money (1)

rwyoder (759998) | about 8 months ago | (#44607379)

Have you looked at Facebook's stock recently? It's getting close to the IPO price.

It actually closed a little *over* the IPO price on several days last week.

Guilty of being Palestinian (1, Interesting)

Anonymous Coward | about 8 months ago | (#44607225)

How much you want to bet it's because they don't want to be seen giving money to someone in Palestine?

Re:Guilty of being Palestinian (4, Insightful)

Chris Mattern (191822) | about 8 months ago | (#44607415)

$0. They didn't give him money becuase a) it was a shit bug report and b) corporations are innately averse to giving out money to *anybody*, even if there's a policy saying they have to. Palestine has nothing to do with it.

Not worth it (5, Interesting)

phantomfive (622387) | about 8 months ago | (#44607229)

Facebook has a policy that it will pay a minimum $500 bounty for any security flaws that a hacker finds.

That's absolutely not worth the money. He's better off taking the publicity he got from this and turning it into a high-paying job.

Are all security hacks a TOS violation? (1)

Anonymous Coward | about 8 months ago | (#44607235)

Because we all know that any security exploit that breaks the TOS would never be used by a Black Hat.

You still have an account there? (-1)

Anonymous Coward | about 8 months ago | (#44607277)

Enough said.

The true reason? (0)

Anonymous Coward | about 8 months ago | (#44607325)

Could the true reason be that palestine is being embargoed by the U.S. and Facebook can't send the guy money even if they wanted to?

A great way to alienate the white-hat community. (5, Insightful)

fuzzytv (2108482) | about 8 months ago | (#44607371)

Good work, Facebook! Kinda resembles what happened at GitHub ~18 months ago: http://www.zdnet.com/blog/security/how-github-handled-getting-hacked/10473 [zdnet.com]

If someone from Facebook reads this, and it's TL;DR; here are the next steps:

#1 apologize to the guy, acknowledge he reported the issue twice
#2 reinstate the account and pay him his reward
#3 fix the damn issue

Re:A great way to alienate the white-hat community (2)

Skapare (16644) | about 8 months ago | (#44607421)

#4 fire whoever is responsible for him being ignored.

Re:A great way to alienate the white-hat community (0)

awpoopy (1054584) | about 8 months ago | (#44607509)

#5 Hire him and put him in charge of the department that ignored him. Give him the backing to fire where needed.

500 USD? (1, Insightful)

ebonum (830686) | about 8 months ago | (#44607399)

What a joke. Face book should fire the guy costing 150,000 USD a year ( take home pay and all in cost to FB are not the same ) who wrote the offending code.

500 USD for a bug is an insult. How much do their QC people make a month? They failed, and they are getting a lot more than 500 USD.

Re:500 USD? (0)

Anonymous Coward | about 8 months ago | (#44607471)

Face book should fire the guy ... who wrote the offending code.

When it's original Zuckercode, they might not be willing to take that step.

Re:500 USD? (0)

Anonymous Coward | about 8 months ago | (#44607861)

The problem with bug bounties also has to do with how you count them and not all bugs being created equal. You could get a ton of minor GUI glitches worth like five dollars each or one big one of "Hey, if you enter this in the login field you can output all of the personal data and then enter this to destroy their database."

Minions!!! (0)

Anonymous Coward | about 8 months ago | (#44607401)

Looks like Facebook is rapidly declining into the corporate morass. WAKE UP Facebook!!

Jordan (-1)

Anonymous Coward | about 8 months ago | (#44607461)

Thats nice, But Everything is Possible, Its Easy to Hack Facebook accounts these days.. same for hotmail

I have tried using this website, its good for hacking http://www.prince-asfi.com

Cheapskates (4, Funny)

Anonymous Coward | about 8 months ago | (#44607479)

Refusing to pay because it violates terms of service? Wait wait, I'm now convinced all my online details are safe. Afterall the terms of service protects me from dishonest hackers, right?

This is so bad (0)

Anonymous Coward | about 8 months ago | (#44607525)

I mean, you ask people to send bugs to you, you even offer to pays.. and now for obscure reason you don't? And after that you want me to "trust" you?
Hacker are not people who follow "rules" and/or TOS. That's why they find bugs!

BRIGHT EYES (0)

Anonymous Coward | about 8 months ago | (#44607585)

you know who you are

Easy to remedy... (0)

Anonymous Coward | about 8 months ago | (#44607627)

Fire the idiot(s) who denied the bug existed and hire Kahlil to replace them. Simple.

He should sit on it for a week, then repeat. (0)

Anonymous Coward | about 8 months ago | (#44607731)

He should sit on it, and let them stew over it waiting for the head cheese to come down on them for not fixing it.

Then repeat his feat again next week to remind the head cheese to take action.

Google has a much better bounty program... (3, Informative)

slashkitty (21637) | about 8 months ago | (#44607867)

They pay $7,500 for an XSS bug, more for more serious bugs. Facebook better think about their program before a more serious bug is made public or exploited privately.

Small claims court (0)

Anonymous Coward | about 8 months ago | (#44607943)

Or Judge Judy. AFIK no lawyers allowed.

stupid me (1)

Anonymous Coward | about 8 months ago | (#44607945)

Well what did he expect
When a Palestinian goes and invades the home (page) of someone called Zuckerberg.
Is despicable and horrible and would never happen in the real world.....oh hang on a minute

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...