
Mark Zuckerberg’s Facebook page was hacked by an unemployed web developer - chrisdinn
http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/19/mark-zuckerbergs-facebook-page-was-hacked-by-an-unemployed-web-developer/
======
chrisacky
Although this is blogspam, it's a blogspam that I can actually support...

This is being covered a lot more widely because FB didn't just pay the guy. I
know it wasn't about money for FB, but this is easily done a lot more damage
then they would have expected and because of their inadequate handling of a
single bug report, I can only feel satisfied as I think this will go down as a
good case study of how not to be so dismissive with critical bugs.

(I still think they should pay the guy, and it should be double the $5k he
would have expected to receive).

~~~
short_circut
Dismissive and ignored? Did you read what he submitted to them? It made no
sense. He vaguely stated that there was a bug and his education. His bug
report was nonsensical. I am not even slightly surprised they ignored it. And
he violated the TOS before he even ever tried to post to Zuckerberg's wall.

~~~
efuquen
Having dealt with fellow developers that don't have perfect english or thick
accents I think it's quite unprofessional to dismiss someone's complaint
without even trying to understand them. It's great for us native English
speakers that it's such a dominant language but I think we should all give a
little more respect for others where it's clearly not their first language and
they're the ones having to go out of their way to communicate with us. I for
one am glad I don't have to deal with the bilingualism, with a bit more
empathy and less dismissiveness the whole thing could have been avoided.

~~~
gedrap
I am not a native English speaker. Although I study in England (University of
Manchester), I believe half of my course mates are not native speakers either.
At least the ones who turn up to lectures. People try to explain their
algorithms, ideas in broken English with damn thick accents but they DO
explain. They put effort.

From what he managed to write in the blog post, he CAN write English which is
not THAT bad.

But this dude doesn't really bother. Hey Facebook, there's a bug. Wanna know
it? How about you... beg me to tell you?

I am quoting him: whatever , i dont care for miss spelling , just the idea , i
never correct an underline red word ;)

Did FB treat it properly? No. Did he act properly? Not either. But since it's
FB... THEY ARE EVIL!!!!111!

~~~
anigbrowl
You do make a good point, but at the same time I was easily able to understand
his original bug report. I agree that both sides should be making a little
more effort, and engaging in a bit less drama.

~~~
ceol
He didn't make a bug report. He didn't specify how he could post to other
peoples' walls. All he said was that he could, and that he already broke the
ToS by using it on another person's account. This was his original report:

    
    
        -----Original Message to Facebook-----
        From: kha****@hotmail.com
        To:
        Subject: post to facebook users wall .
    
        Name: Ḱhalil
        E-Mail: khal****@hotmail.com
        Type: privacy
        Scope: www
        Description: dear facebook team .
    
        my name is khalil shreateh.
        i finished school with B.A degree in Infromation Systems .
    
        i would like to report a bug in your main site
        (www.facebook.com) which i discovered it .
    
        repro:
        the bug allow facebook users to share links to other 
        facebook users , i tested it on sarah.goodin wall and i 
        got success post
        link - > https://www.facebook.com/10151857333098885
        -----End Original Message to Facebook-----
    

From that, you surmised that he exploited the "make a new wall post" form by
replacing the user ID with another of his choosing?

~~~
mtrimpe
When you're working across cultural boundaries you realise that most problems
stem from an incorrect assumption.

In this case Khalil probably held the incorrect assumption that an actual
demonstration of the bug would be how Facebook would want this to be reported,
hence the lack of details.

It's not unreasonable for him to think Facebook would take a look at their
HTTP logs to find out what happened.

------
tptacek
Once again, with feeling:

Even if Facebook wanted to ignore the terms of their bug bounty to pay this
person, they probably can't. Bug bounties are legally fraught as it stands.
Like every bug bounty, Facebook's is clear: if you use a real account, _you
must have the consent of the accountholder_. That term isn't just there to
make the Facebook security team's job easier; they also can't officially
condone people compromising random user accounts.

Facebook also operates in a web of contractual and regulatory concerns,
including California's breach notification laws. Exploitation of security
vulnerabilities on Facebook's public properties outside of the terms of their
bug bounty might be legally more akin to attacks than to pro-bono testing.
Further, Facebook obviously needs the ability to reliably enforce their terms,
lest they provide attackers with ammunition in a court case if they, for
instance, Pastebin large amounts of Facebook user data. "Oh, I was just
participating in the bug bounty program; I certainly wasn't setting out to
sell $CELEBRITY's data to a tabloid."

Jim Denaro is an attorney specializing in stuff on this. We talked to him on
Twitter this weekend when the story broke, and he said he would have advised
against paying the bounty here too. Maybe we can get him to write a blog post.

I don't know how much "outrage" this has actually generated in the security
community (maybe you can find links). The security people I've talked to think
what happened makes perfect sense. Facebook didn't freak out, the acknowledged
the bug report (once they understood it) and fixed the bug. They're just not
paying a reward, because the bugfinder violated what is perhaps _the most
important term in the bug bounty_.

One more thing: people on HN have a lot of strong opinions about Facebook, and
while I don't share many of them, I understand and respect them. Understand
though that the people working on Facebook's security are real and very smart
and by and large not the least bit interested in screwing other bugfinders out
of 0.00000000001% of Facebook's operating capital.

~~~
falcolas
I understand your position in this, and after reading the full story, I even
agree... but I also know a few independent security researchers (i.e. people
who don't do this professionally) who do not.

They, rightfully or not, see an independent who was ignored and then
persecuted for trying to responsibly report a bug. It's given Facebook a black
eye to more than just the HN crowd, and people will probably be thinking twice
about disclosing security bugs, particularly if they get "working as intended"
as their initial response.

Also, consider the guidelines that go into developing a UI. The more
roadblocks you put in someone's way to register for your site, the fewer
people will register. Apply that to this, and the more roadblocks you put into
reporting a bug correctly (requesting special accounts, fighting to convince
staff that your bug is an actual issue), the fewer bug reports you're going to
get. That's not a good thing for Facebook in the long run.

~~~
tptacek
I don't see how you get from the facts of what happened to "persecution".
Could you go a little further into that?

~~~
falcolas
Disabling his Facebook account, and deciding not to pay Khalil Shreateh
(though the account was later re-enabled after further emails between himself
and Facebook).

------
arnarbi
> Shreateh reports he will not, however, receive a bounty for his work — per
> an e-mail from Facebook, he violated the terms of the program when he hacked
> Zuckerberg’s account.

I think this is wrong. He posted on Sarah Godin's wall first before making any
report, very clearly breaking the rules FB sets up for its whitehat program.
They offer a way to create test accounts for exactly this. Posting on Mark
Zuckerberg's wall has nothing to do with it.

As far as I'm concerned. FB's only mistake here was to brush him off instead
of asking for further information from the initial report. Hardly newsworthy.

~~~
bwang8
From my understanding, Sarah Godin is a fake FB account that he made to test
his bug out.

~~~
yuliyp
Sarah Goodin is not a fake account, she is one of the first Facebook users
(back when it was at Harvard only).

~~~
jamesjguthrie
How do you know that the post to her wall wasn't his initial discovery of the
bug? Any occurrence of the bug was a breach of the ToS.

~~~
ceol
Not between two test accounts or two accounts that belong to you (work and
personal, which you are allowed to have.)

------
jzelinskie
Why don't people just send things in their native language? If the platform
for communication is serious (like a place to report security
vulnerabilities), I would imagine they would spend the time/money to get a
real translation if one was needed. Even Google Translate probably could've
done a better job than this guy's original report.

~~~
cliveowen
There's no excuse for not knowing the English language, first as a 21 century
citizen and secondly as a web developer.

~~~
claudius
There’s no excuse for not knowing at least three out of English, Spanish,
French, Mandarin, Urdu, Arabic, Portuguese, Russian and German. If you’ve
finished university peeking at a fourth and fifth language can’t hurt either.

How many do you know?

Edit: Oh, and how about a bit of Latin and Greek, maybe?

~~~
cliveowen
I _do_ know English, Spanish and Italian and I'm doing my best learning
Portuguese but that doesn't mean we should encourage a world divided by
language barriers. I'd be happy to completely forget about every language,
including my own native language, and having English as a universal language,
it's called progress.

There's no advantage whatsoever in having a fragmented world, and if the mess
in my head is any indication the alleged advantages of bilingualism are just
BS.

~~~
claudius
While it would certainly be _convenient_ if everybody spoke the same language,
I don’t think it would be _better_ than the current state of affairs, where
most people know two to three languages more-or-less well.

After all, knowing more than one language does give you some different
insights, not just into the culture of the other language but also into your
own culture. Furthermore, there is a whole canon of classical works in
basically every language which would likely lose some of its value if it were
only accessible in the translated form.

We can add to the last point by taking note that English is a particularly bad
example of a ‘world-wide native language’. While its simplicity – both with
regards to its vocabulary and its grammar – certainly helps when it is the
_second_ language of someone, such concerns are of smaller importance when you
want it to be everyone’s first language: Such a language can come with a much
stronger set of grammatical rules and nicer ways to build composite words and
still be (roughly) equally accessible to its native speakers.

------
jack-r-abbit
I don't really understand what significance there is in stating that he is
"unemployed." Does that somehow make his actions better/worse or the "hack"
more/less tolerable?

~~~
beat
You're starting to see the fnords. Stop that! Look over there, a celebrity is
having marital problems! A pretty young blonde woman is missing!

Journalism is always fair and balanced. They would never, ever use potentially
biasing words to suggest that you favor the big corporation over the
individual.

~~~
quantumpotato_
I think it was done to give credence to the web-developers lack of
"corporatism", to show an "underdog" narrative. Sort of like "homeless man
discovers flaw in millionaire's mansion security".. he's so badass he doesn't
need a home, or a job, to be good at what he does.

I think. It's gotten nearly impossible to tell w/ modern journalism.

~~~
beat
"Unemployed" is _never_ a positive word in American English. In America, if
you're unemployed, it's because you're a lazy, shiftless bum - and will
quickly resort to crime if your own shortcomings won't let you scam a powerful
and scrupulously honest corporation.

The word "unemployed" has such negative connotations here that trying to use
it in an underdog narrative is dooming your story to failure.

------
diminoten
The Facebook team should have taken better care of this, but the guy should
have used one of the test accounts, or created a test account to demonstrate
this, rather than fuck with someone else's private Facebook account.

Very bad form.

~~~
JangoSteve
I agree. Why not create a test account and post to his own wall?

------
guard-of-terra
I think we should crowd-source $5k to that guy and make Zuck sure we don't
really need him for anything.

I'm ready to toss $10.

~~~
webvictim
You would prove nothing other than that crime pays.

~~~
gnaritas
Crime does pay, that's rather the point of crime, it doesn't really need
proving.

~~~
webvictim
In that case, crowdsourcing a way to pay this guy $5k for the vulnerability he
found and abused would be counterintuitive.

~~~
walid
WOW WOW you say "abused"... strong language there. He was trying to show the
bug to them. This guy looks like he never read the TOS in the first place so
he wasn't going after abusing. He didn't communicate properly is the way I
would put it.

------
nthitz
Plenty more discussion here:
[https://news.ycombinator.com/item?id=6229858](https://news.ycombinator.com/item?id=6229858)

------
joshaidan
I find it interesting the amount of attention Hacker News is getting from this
in mainstream media.

It makes me wonder, when people unfamiliar to Hacker News read about it in
stories like this, do they get the wrong impression and think Hacker News is
about the criminal kind of "hacking"?

~~~
beat
The mainstream media spent twenty years trying to turn the word "hacker" into
some sort of unholy cross between thief, terrorist, child pornographer, and
teenager. They'd _better_ be getting the sense that hacker == criminal by now!

~~~
ceol
Your replies in this thread have been piss poor, anti-corporation, anti-media,
hyperbolic shitposting. Please take it back to /r/technology.

~~~
beat
If the media hasn't consistently presented "hacker" as negative, why is it
seen as such? After all, everyone who actually _knows_ what hacking is a: sees
it as positive, and b: is irritated at the media presentation.

Facts is facts, man. Sorry if you don't like the snark, but I'm not sorry for
telling the truth.

~~~
ceol
It's the general public's opinion about "hacker", not just the media's.
Connotations change. Everyone here knows "hacker" to mean "someone who finds a
simple solution to a complex problem" but everyone _elsewhere_ uses "hacker"
to mean "someone who breaks into another person's computer system." It's not
even the wrong usage; it's just a usage you don't personally like.

That's not touching on the rest of your posts. They've all been hyperbolic
bullshit, and I hate seeing it bleed over from the political discussions.

------
baby
hasn't this story been posted multiple times already?

Also it was made clear that he clearly violated the TOS and that his messages
were unintelligible.

~~~
skeletonjelly
It most definitely has. I'm so over arguing over this.

Previous discussion

[https://news.ycombinator.com/item?id=6229858](https://news.ycombinator.com/item?id=6229858)
+383

and about 10 other single digit posts of various blogspam sites

[https://www.hnsearch.com/search#request/submissions&q=facebo...](https://www.hnsearch.com/search#request/submissions&q=facebook&sortby=create_ts+desc&start=0)

and reddit

[http://www.reddit.com/r/sysadmin/comments/1kkvfr/user_report...](http://www.reddit.com/r/sysadmin/comments/1kkvfr/user_reports_security_bug_to_facebook_after_user/)
+329

[http://www.reddit.com/r/netsec/comments/1kkvei/user_reports_...](http://www.reddit.com/r/netsec/comments/1kkvei/user_reports_security_bug_to_facebook_after_user/)
+532

[http://www.reddit.com/r/technology/comments/1ko71v/researche...](http://www.reddit.com/r/technology/comments/1ko71v/researcher_facebook_ignored_the_bug_i_found_until/)
+831

[http://www.reddit.com/r/technology/comments/1kkoux/hacker_po...](http://www.reddit.com/r/technology/comments/1kkoux/hacker_posts_facebook_bug_report_on_zuckerbergs/)
+3005

Can we wrap this one up perhaps?

------
bloaf
Its simple, Facebook can't set the precedent that people who exploit bugs in
this way get paid. If they did, every Joe who felt that their particular bug
wasn't being addressed quite right would think that public exploitation is the
faster route to their reward.

~~~
rmc
Conversely, they might be setting the opposite precendent, that they might
ignore your intial email if you don't speak perfectly, and if they ignore your
initial email, even hacking Zuck's account won't get you any offical
recognition.

The bad precendent is that if you're not a great english speaker, you might as
well sell your bug on the black market. This is not good for facebook.

------
callesgg
What is wrong with journalists now days. Reading on hacker news and copy
pasting stuff in to articles is not what i would call good journalism.

It would be nice if people could stop reposting shit from "average joe" news
papers.

------
lcusack
It would be a class act if Mark Z personally paid him the bounty or maybe if
FB employees crowdfunded it.

Then they don't have to admit they were wrong and don't look like jerks. Best
of both worlds.

------
adsr
This seems like a lack of communication skills on both parts imho, why would
you respond: "this is not a bug" to a bug report you did not understand.

------
codex_irl
poor show FB - thumbs down!

------
enterx
lol, you ad serving pricks! XD

Will someone send this Khalil Shreateh a brand new quad-core? TIA

Khalil Shreateh - respect. Let your name be indexed once more.

------
shortcj
Facebook is a top tier company; they don't pay people attention, much less
real money, without a track record of like Harvard or Stanford already.

~~~
shortstuffsushi
I really don't think that's an fair allegation to just throw out there. Care
to back that up with some evidence?

