
Hacker Posts Facebook Bug Report on Mark Zuckerberg’s Wall - ArabGeek
http://arabcrunch.com/2013/08/palestinian-hacker-posts-facebook-bug-report-on-facebook-ceo-mark-zuckerbergs-wall.html
======
borplk
I applaud him for his expertise and finding the bug but here are some points
Ḱhalil:

\- You violated Facebook's terms of service by exploiting the bug on Sarah's
profile. You shouldn't have done that.

\- I understand that English is not your first language and of course that's
perfectly fine, people usually don't expect perfect English on the internet.
However you have written the report quite lazily and haven't taken the time to
clearly explain the steps. For example you have said "mark profile" instead of
"Mark Zuckerberg's profile". That's just ambiguous language and confuses the
reader. They probably receive a lot of wrong reports every day so if you make
mistakes like that you are less likely to be taken seriously.

\- After they said it is not a bug, it is clear that they have misunderstood
you because you failed to communicate clearly. You could write a more detailed
report and tell them that they have misunderstood you. If not you could report
in your first language and let them ask one of their Arabic-speaking
employees.

\- You violated the terms again by exploiting the bug on Mark's profile. It
would be bad if it was any other Facebook user too. But you went straight for
Mark which will obviously generate a lot of buzz and negative publicity and
I'm sure he doesn't appreciate someone randomly posting something on his wall.

\- Just because they fail to receive your bug report does not make it ok for
you to go ahead and exploit it.

By exploiting the bug you had found twice you lose your whitehat status and
you no longer deserve the bounty. Whitehat does not mean "white hat unless you
fail to take my report then I will have to exploit your CEO's profile for the
world to see".

If Facebook does pay you for the bug, it is just setting a bad example and
will be encouraging similar behaviour.

After that, every other person who finds a bug too will do something funny to
Mark's profile for attention.

~~~
s_q_b
The author clearly has a language barrier. Not all bug reports are going to
come with sterling reports to back them. In the end, Ḱhalil fell back on the
lingua franca of the internet: a working demonstration.

The onus is on the organization, not the bug reporter, to vet the information.
From what I see, there was more than enough in the report to conclude there
was a problem, and follow up.

If Facebook security fails in coding the application, in QR, and when a user
files a bug report, it is awfully hard to place the blame with the bug
reporter.

~~~
dylangs1030
This isn't a good summary of the events. His "lingua franca" is technically
illegal, and violates Facebook's _explicit_ and _easily accessible_ Terms of
Service.

There's nothing obfuscated about this. It's very straightforward. Yes, he
found a security vulnerability. That doesn't earn you points "just cause." You
still need to report it with _responsible disclosure_ and _not_ exploit it for
the lulz and attention.

He could have done things differently - especially, he could have asked to
talk to a Facebook employee who understands Arabic. Or tried to put more
effort into a second security report.

Frankly, posting on Mark Zuckerberg's wall about this is childish and just
attention-grabbing. It's not a responsible disclosure.

~~~
avalaunch
In another thread it was mentioned that the terms of service aren't available
in Arabic.

~~~
dylangs1030
That's not Facebook's problem...should they also write Esperanto terms of
service and Swahili terms of service just because security researchers exist
who speak those languages?

~~~
avalaunch
And the bug wasn't this hacker's problem. It's important to remember that this
guy went out of his way to help Facebook.

As such, they should be a bit more understanding when someone that speaks
Esperanto submits a bug without doing so in a way that perfectly adheres to
their terms of service. They should step back and take a subjective view
instead of trying to make it black and white. Was he acting maliciously? Did
he knowingly violate the terms or was it out of ignorance? Was he trying to
hurt Facebook by violating the terms or help them?

------
ryandrake
If the Facebook security team responded more thoughtfully, we wouldn't even be
reading about this as news. Instead of:

    
    
        "This is not a bug" (essentially, "go away")
    

...they could have said:

    
    
        "Thanks for the report. It seems that English may not be your first language, so to be very clear, in order to check this issue, we will need these pieces of information (A, B, C). Please feel free to reply in your language, and we will have a native speaker help translate."
    
    

If I was the researcher, the callous "go away" response would have convinced
me that it would be more fruitful to sell the exploit to a spammer (who would
pay HANDSOMELY to be able to post to anyone's wall).

~~~
dylangs1030
1\. I agree, Facebook probably could have been more tactful in their reply.
Your example reply looks good.

2\. That said...if you were the security researcher, and you received a "This
is not a bug." \- you would still be fully wrong in selling the exploit to the
highest bidder. It's not ethical to do that just because you failed to get a
bounty after reporting it, especially if you only tried _once._

I think both sides should have done things differently. Hacker News is skewed
towards BigCo hatred as a whole, and I think it's showing a bit. The majority
is siding with Khalil despite the fact that there are valid reasons for him to
not receive a bug bounty.

~~~
ryandrake
Oh, and just to clarify, I'm not coming at this from the perspective of "BigCo
hatred". It is in Facebook's best interests to treat white hat reported
security issues seriously, even if they don't initially understand them.

What are the chances that this security researcher ever reports another bug to
Facebook, given how he was treated? Selling future exploits to spammers
wouldn't be the ethical thing to do, but if I know "Emrakul" in Facebook
Security is just going to tell me to F-off, I start to justify it.....

~~~
dylangs1030
I wasn't talking about you when I spoke about the anti-BigCo sentiment.

------
chiefalchemist
Re: "We are unfortunately not able to pay you for this vulnerability because
your actions violated our Terms of Service."

Poor Zuck, literally poor poor Zuck. #Sarcasm

Prediction: People will start finding holes, shorting the stock, exploiting
the holes, then going public with the exploit and making their money once the
stock dips.

Done correctly, that probably pays pretty damn well, yes?

~~~
yolajengoo
Uh, no. How many security exploits do you think would impact Facebook's stock?
This one? Investors do not care about minor bugs that are fixed quickly.

~~~
jedbrown
Simultaneously use the exploit on many investors' FB pages, perhaps starting
with their children and families. Nobody cares about an exploit used on Zuck's
wall and fixed soon after, but the perception would change if it was more
personal and widespread.

------
jonson
In my opinion..I think they should compensate him.They said he violated their
terms...Their terms on the whitehat page is not even localised for other
Languages. Too Bad.

~~~
mike-cardwell
In his _first_ message, he demonstrates that his bug exists by showing that he
exploited somebody elses account. This is _obviously_ , _never_ the way to
make a bug report. Heck, it's probably even illegal. You shouldn't need to
read a sites terms and conditions to know that doing this will be breaking
them. It's an expensive lesson. Hopefully it will lead to him being more
sensible in future. I have no sympathy.

~~~
pampa
Denying bounty to a hacker on some bullshit "Terms of Service" violation
excuse defeats the whole purpose of the bounty program.

Next time a hacker will just sell the exploit to somebody else, cash upfront,
and wont bother reporting.

~~~
dylangs1030
It's not "bullshit Terms of Service" \- Facebook clearly lays out the terms of
the Whitehat program.

There was no bait and switch - it's very explicitly stated that he should not
be exploiting the vulnerability, and that it needs to be clearly explained.

I respect that he found a vulnerability, but he still needs to adhere to a
website's terms and conditions. If the security team he reports a bug to
doesn't "get it" the first time he should try again, not publicize it on
Hacker News and attract negative publicity by putting it on Mark Zuckerberg's
wall.

~~~
pampa
It's not "bullshit Terms of Service", it's "bullshit excuse". There is a
difference.

~~~
dylangs1030
You originally said bullshit TOS, which is why I quoted that. It's not a
bullshit excuse for all the reasons I already mentioned.

------
pella
[https://news.ycombinator.com/item?id=6229858](https://news.ycombinator.com/item?id=6229858)

------
thezach
I made a facebook security vulnerbility report Friday afternoon and have
recieved absolutley no response from them.... its getting rather disgusting

~~~
dylangs1030
Give them a few days? Companies like Microsoft receive 200,000 bug reports
each day, and each one has to be examined to determine authenticity. Plus, you
sent it before the weekend.

It's not "disgusting"...you just need to be patient.

------
tcbrfla
There are no excuses. Facebook should expect that hackers with english as a
second language (or not even that) will find bugs in the system and that they
will not be able to communicate the way the Facebook team expects.

They should stop finding excuses and start to focus their efforts on making
sure that people with no communication skills can report any bug.

Suggestion: Facebook could create a new "Facebook_security" system, which can
be used to report bugs. The system would have the same production version, but
the terms and conditions would be flexible. It would be used only for security
purposes, and if someone finds a bug, they could record the exploit and send
to the facebook team. By doing this, they would make sure that any type of bug
could be reported.

------
khalilshr
i cant reply to all of these comments , but i can say that i love facebook
security team when they ignored me ;) thank you for your support . regards .

~~~
vadivlkumar
Don't worry about your English, just continue to do what you are doing. But
understand one thing, what you are doing is only worth to learn one or two. If
FB is paying you are not is not really matters!

I was little irritated your English was criticized heavily! And it's more
irritating when a security team misses to understand a security issue when I
was able to understand

------
tobykier
wtf. We're not going to pay you because after we ignored you you went over our
heads.

~~~
ArabGeek
"of course they didn't use their authority to view sarah’s privacy posts as
Sarah share her timeline posts with her friends only."

------
ferdo
Facebook should give him a job. The current security team appears to need some
help.

------
ArabGeek
He did that after facebook security team rejected his request to report a bug

~~~
DangerousPie
To be fair they rejected it because his "report" consisted of a link to a
profile where he claimed to have exploited the bug, without any explanation of
what he actually did. If he had at least given a rough indication of what the
exploit was I am sure they would have reacted differently.

~~~
ArabGeek
"\----Original Message to Facebook----- From: kha __ __@hotmail.com To:
Subject: post to facebook users wall .

Name: Ḱhalil E-Mail: khal __ __@hotmail.com Type: privacy Scope: www
Description: dear facebook team .

my name is khalil shreateh. i finished school with B.A degree in Infromation
Systems .

i would like to report a bug in your main site (www.facebook.com) which i
discovered it .

repro: the bug allow facebook users to share links to other facebook users , i
tested it on sarah.goodin wall and i got success post link - >
[https://www.facebook.com/10151857333098885](https://www.facebook.com/10151857333098885)
\-----End Original Message to Facebook----- "

~~~
iso-8859-1
No wonder they ignored the bug report. It looks like a spam e-mail. Why no
proper capitalization? Why is your education relevant?

~~~
neotek
English isn't his first language.

