

Facebook vulnerability 2013 - khalilshr
http://khalil-sh.blogspot.com/p/facebook_16.html
check this article , and guess what !! facebook pays me nothing .<p>http:&#x2F;&#x2F;khalil-sh.blogspot.com&#x2F;p&#x2F;facebook_16.html
======
tshtf
Note to security response teams everywhere: Not all vulnerability reporters
speak perfect English, nor are they all experienced in writing up details on
how to exploit issues. It is your responsibility to obtain details from
reporters, after the initial report, to avoid situations like this. Facebook
should give a bug bounty here, due to their lack of due diligence in following
up with the initial responses.

~~~
Aqueous
Yeah, what the hell were they doing responding "This is not a bug." without
investigating or asking for more details? What the hell is the point of even
responding to possible security alerts from the general public if you're not
going to investigate?

~~~
future_grad
I am curious to how many trash reports they have to sort through to identify
real bug reports. Anyone care to comment?

~~~
taspeotis
Microsoft sifts through bogus security reports all the time. Raymond Chen
posts the best-of-the-worst periodically.

Here are I couple I found:

[http://blogs.msdn.com/b/oldnewthing/archive/2011/12/15/10247...](http://blogs.msdn.com/b/oldnewthing/archive/2011/12/15/10247870.aspx)
[http://blogs.msdn.com/b/oldnewthing/archive/2008/03/14/80801...](http://blogs.msdn.com/b/oldnewthing/archive/2008/03/14/8080140.aspx)

~~~
mattmanser
Yeah, but look at what he says in the first link:

 _Before contacting the submitter, we want to be sure that we weren 't missing
something, but after looking at it from every angle, we still couldn't see
what the issue was.

...Stumped, we contacted the submitter. "From what we can tell, the call to
system takes place before you call the Load­Keyboard­Layout function. Can you
elaborate on how this constitutes a vulnerability in the Load­Keyboard­Layout
function?"_

------
stygiansonic
After watching the video, it looks like the exploit involves:

1) Getting the target user's userId. This used to be part of a user's profile
URL but Facebook allowed people to choose a "vanity URL" quite a while ago, so
they're no longer as visible. So, instead, the userId is obtained from a FB
Graph API query.

2) The form that makes up the "post to newsfeed" has a bunch of hidden inputs.
One of them refers to a "xhpc_targetid" and this is probably where the target
userId is injected. It's normally set to the current user's id for a default
newsfeed post. These values in the DOM are modified during the exploit using
something like Chrome Developer Tools on-the-fly and the form is submitted.

If this is truly the case (and I haven't verified it myself) this means that
the server side is not really checking permissions and just blindly trusting
the client input. Reminded me of this recent
([http://arstechnica.com/information-technology/2013/08/how-
ea...](http://arstechnica.com/information-technology/2013/08/how-easy-is-it-
to-hack-javascript-in-a-browser/)) article about trusting client input.

~~~
untog
_This used to be part of a user 's profile URL but Facebook allowed people to
choose a "vanity URL" quite a while ago, so they're no longer as visible._

They're still visible in photo albums and the like. Far from hidden.

~~~
skeletonjelly
It's not really obvious though

~~~
zevyoura
If you're investigating Facebook exploits it's one of the first things you'd
have to learn about.

------
asenna
The Social Network -

Ad Board Chairwoman: Mr. Zuckerberg, this is an Administrative Board hearing.
You're being accused of intentionally breaching security, violating
copyrights, violating individual privacy by creating the website,
www.facemash.com. You're also charged with being in violation of the
University's policy on distribution of digitized images. Before we begin with
our questioning you're allowed to make a statement. Would you like to do so?

Mark Zuckerberg: I've... [Mark stands up to make his statement]

Mark Zuckerberg: You know I've already apologized in the Crimson to the ABHW,
to Fuerza Latina and to any women at Harvard who may have been insulted as I
take it that they were. As for any charges stemming from the breach of
security, I believe I deserve some recognition from this Board.

Ad Board Chairwoman: I'm sorry?

Mark Zuckerberg: Yes.

Ad Board Chairwoman: I don't understand.

Mark Zuckerberg: Which part?

Ad Board Chairwoman: You deserve recognition?

Mark Zuckerberg: I believe I pointed out some pretty gaping holes in your
system.

\----

The similarity is uncanny.

~~~
Killah911
It's funnier when FB points to some fine print and acts like bigger douches
then those administrator. I would've half expected FB to have engaged this
person in a whole differrent spirit, with all the well publicized "we're cool
& paying whitehat hackers" PR & new articles.

~~~
asenna
Exactly. The tables have turned.

------
tptacek
Jim Denaro, @CipherLaw on Twitter, a lawyer specializing in these issues and
someone who has studied bug bounty programs, twerped earlier at me:

 _Paying out a bounty in that situation would be legally risky. Would advise
against it._

Facebook's ToS forbid you to compromise other users accounts in any way. Its
bug bounty terms require the consent of any accountholder used to search for
bugs. It's also bound by California laws regarding breach notifications. And
over the long term, it must retain the ability to enforce its own ToS. These
are just the objections I can think of.

If you're going to participate in a bug bounty program --- and you should ---
don't use non-consenting accounts to do it. This is a simple issue that's been
blown out of proportion by message board pathology.

~~~
thezilch
Don't pay the bounty for the bug then. Pay it for identifying the weak links
in the security-reporting chain. The links that shrugged the bug reporter off,
from the start; didn't have, at the very least, some boilerplate to guide the
reporter; didn't have avenues or rules for non-English speakers.

For all we know, the reporter might have thought, "This will never work" or is
not up to speed on or didn't understand the rules. Facebook certainly didn't
help him, at every turn, including the last email "Sorry, l2p."

------
mkjones
Hey folks - I work on security at Facebook (though not specifically the
Whitehat program) and just wanted to let you know we're looking into this
right now.

~~~
mkjones
OK - so I work on a security team at Facebook and sometimes help with
reviewing Whitehat reports. To be clear, we fixed this bug on Thursday. The OP
is correct that we should have asked for additional repro instructions after
his initial report. Unfortunately, all he submitted was a link to the post
he'd already made (on a real account whose consent he did not have - violating
our ToS and responsible disclosure policy), saying that "the bug allow
facebook users to share links to other facebook users". Had he included the
video initially, we would have caught this much more quickly.

For background, as a few other commenters have pointed out, we get hundreds of
reports every day. Many of our best reports come from people whose English
isn't great - though this can be challenging, it's something we work with just
fine and we have paid out over $1 million to hundreds of reporters. However,
many of the reports we get are nonsense or misguided, and even those (if you
enter a password then view-source, you can access the password! When you
submit a password, it's sent in the clear over HTTPS!) provide some modicum of
reproduction instructions. We should have pushed back asking for more details
here.

However, the more important issue here is with how the bug was demonstrated
using the accounts of real people without their permission. Exploiting bugs to
impact real users is not acceptable behavior for a white hat. We allow
researchers to create test accounts here:
[https://www.facebook.com/whitehat/accounts/](https://www.facebook.com/whitehat/accounts/)
to help facilitate responsible research and testing. In this case, the
researcher used the bug he discovered to post on the timelines of multiple
users without their consent.

As you can see at
[https://www.facebook.com/whitehat](https://www.facebook.com/whitehat), in
order to qualify for a payout you must "make a good faith effort to avoid
privacy violations" and "use a test account instead of a real account when
investigating bugs. When you are unable to reproduce a bug with a test
account, it is acceptable to use a real account, except for automated testing.
Do not interact with other accounts without the consent of their owners."
Unfortunately, the OP did neither of those things. We welcome and will pay out
for future reports from him (and anyone else!) if they're found and
demonstrated within these guidelines.

~~~
moocowduckquack
_" As you can see at
[https://www.facebook.com/whitehat](https://www.facebook.com/whitehat), in
order to qualify for a payout you must "make a good faith effort to avoid
privacy violations" and "use a test account instead of a real account when
investigating bugs."_

I just looked at it, then switched Facebook to Arabic and the TOS is magically
still in English (edit - and right aligned really badly as the page evidently
expects arabic). If you demand that the TOS is followed by people who do not
have English as a first language, try offering a translation.

This guy has done you all a service. The chances are that he may not have been
able to clearly read the TOS that you wish him to abide by. He should get
paid.

edit - hmm, was about to check the situation with other languages, however now
all the buttons are in arabic so I stopped bothering after the fourth random
page.

~~~
tptacek
They can't pay people to violate their terms of use or to try to violate the
privacy of their users. Even if they wanted to, they're probably not allowed
to do that.

~~~
spyder
So if a security bug was discovered using methods that are against the TOS
then the information about the bug is worthless for them and it's better to
sold it elsewhere.

~~~
Udo
An argument could be made it wasn't so much the discovery of the bug but
rather the _manner of reporting it_ that was a ToS violation.

~~~
hrjet
The payment would ofcourse be for discovering the bug.

------
davis_m
I'm not sure how Facebook was supposed to know this was a vulnerability. If
you look at the actual conversation it looks like Khalil is reporting the
ability to post on other people's walls as a vulnerability.

In the first email, Khalil simply says that he can post to Sarah Goodin's
facebook wall. He makes no mention of the fact that he and Sarah Goodin aren't
friends.

The Facbook engineer replies that he is unable to see anything from the link
that Khalil sent. This is because the engineer and Sarah are not friends.

Khalil responds with a screen shot of the post. Again, Khalil makes absolutely
no mention that he and Sarah are not friends at all. In fact, at this point it
would appear that Khalil is friends with Sarah, as he states that only her
friends can see her wall. I guess he is able to see the post he made though.

At this point, Khalil decides that the only course of action is to go post on
MZ's wall. How is that sort of escalation appropriate? By paying Khalil at
this point, all you are doing is telling people that MZ's account is a an
acceptable place to report vulnerabilities, which is a horrible precedent to
set.

~~~
Killah911
I'm surprised you're not taking him to task for his poor grammar, sentence
structure and obvious misspellings. To say "replay" when he means "reply", how
the hell did his accent make it into his writing? Quite obviously his reports
were ignored.

Most certainly, this chap should have followed proper decorum by consistently
petitioning Facebook to pay heed, by filling out the necessary forms and
ensuring a stamped, self-addressed envelop was also included should they
choose to write to him at a later time.

And then to go and expound his savagery to the Noble CEO's account, an utter
insult to civility indeed! (Yes! I'm being sarcastic)

~~~
davis_m
I don't know why you are being sarcastic. I don't make one mention of Khalil's
grammar. I understand that everyone's first language isn't english, but Khalil
isn't even making an effort to be clear or accurately communicate what the
problem is.

In the comments of the blog post, Khalil admits that it isn't that he has a
poor understanding of the english language, it is just that he doesn't care.

> whatever , i dont care for miss spelling , just the idea , i never correct
> an underline red word ;)

So we have a guy that doesn't give a crap about communicating correctly, who
then complains when he is not understood.

~~~
Killah911
My views below are not directed at you individually.

Through my sarcasm I was trying to convey the often imperialistic (and in my
opinion useless douchebaggery) view we tend to take on certain matters and
people, which, I believe, hinders communication and progress in general. It's
not just a language barrier, it's a cultural barrier. One that exists even
between people who speak the same language. (Don't know if the social media
movie scene with Zuckerburg being reprimanded by Harvard was based on real
events or pure fantasy, but that's a good example)

So he ignored some squiggly red lines, maybe his command of English is
marginal. Maybe he's worried about bullets possibly flying over his head in a
few minutes or in a situation that many of us in the west couldn't fathom.
I've had to communicate in Spanish before and I know I probably slaughtered
the grammar, spelling and more, but at that time I was trying to convey an
important message. Fortunately the people I was speaking with were very kind
and patient. They listened and somehow understood the sentences and symbols I
had cobbled together.

We have this whole attitude that if someone doesn't fit our cultural context
in language or behavior, their are somehow inferior, is absolute BS. I have
seen programmers with a an accent perceived as being "dumb", while in fact
they were far better than their peers. I myself have been subjected to this
type of bias, when I forgot to follow some proper decorum somewhere, simply
because I was broke and had more important things on my mind. This is typical
of out-of-touch monolithic institutions and the type of thinking that goes
with it. It's outright absurd and funny, just like my sarcastic comment :)

------
srinivasanv
Figure out another way to reward this guy (maybe tell him that it's a gesture
of goodwill only) and reward him. It doesn't have to be from Facebook, Inc,
but he should get something from somewhere.

Otherwise, next time him or any of his friends find a vulnerability, they'd be
tempted to share it with the people who _would_ reward them, since they've
seen firsthand that their reports to facebook seem to just get ignored. When
you consider that his entire region is in turmoil, and that social media is
clearly playing an important role in the uprisings across that region [whether
you agree with them or not], you'll understand our reasons for insisting that
his efforts be rewarded somehow.

Edit 1: Not suggesting that fb intentionally ignores their reports for poor
English or any other reason, but that's clearly the impression they're
getting.

Edit 2: And while I have no reason to believe that this guy (Khalil) would
ever report a vulnerability to some dictator's security forces, others who
have seen this story might. And those who have seen this need not be his
friends either, since it's on HN, /r/technology, and elsewhere.

Edit 3: As tszming suggested, if you don't want to risk setting a precedent by
offering cash, you could perhaps sponsor an all-expenses-paid trip (with no
implications of future employment) for him to visit Facebook HQ. Granted I
don't know the legal implications of this, but it does give you a chance to
buy this guy lunch and tell him in person that you do appreciate his efforts,
motivate him to continue reporting any vulnerabilities he finds, and tell him
to encourage his friends to do the same. Actions speak louder than words, and
there's no question this would have a far bigger impact than the dismissive
two-liner he received, even if the intention was the same.

------
rikacomet
So what does this guy gets for reporting one of the most relevant bugs that
could have exploited the privacy of a billion people? PEANUTS!

When the top guys behave like this about rules, it clearly shows a lack of
conscience. Rules are made to keep 99.9% of mess at bay.

This guy invaded the privacy of say 1-2 people that too to when the relevant
authorities didn't respond in the correct manner, and saved the invasion of
privacy of millions at least.

And what privacy? only a relevant post (not a spam) on profile of the
company's biggest authority.

Yeah someone probably died of laughter from that post/ breach of privacy... So
DUMB!

------
Cyph0n
So they get the exploit and fix it without paying the person who found it.
These kinds of actions lead exploit finders to instead pursue rewards through
the black market. Very sad indeed.

------
danso
The OPs English is not excellent (but way better than my Arabic)...but I'd be
interested in hearing the FB responder's rationale for dismissing the initial
submission. Language barrier aside, the link and the image provided should
speak for themselves.

But perhaps the bug-hotline gets so much spam that the OP came off as junk
email to the FB dev team? Just skimming over his email, I'm struck by how much
poor punctuation and capitalization triggers my mental spam alert (and that's
before even reading the actual contents).

------
cupcake-unicorn
Wow, upvoting this and I really hope it goes viral and FB gets called out for
it. Hopefully he can get the bug bounty he deserves. That's incredibly sleazy
of FB to treat him this way.

~~~
merijn481
I'm surprised at how many people just assume the FB sec team doesn't want to
pay and therefore tries to not pay if they can get away with it. Their history
of paying out is completely the opposite. I've reported several bugs and
they're always extremely helpful. They're not an insurance company that wants
to reduce cost by screwing over users and there is no historical evidence of
that. They want to pay for bugs and get as many of them as possible. What they
don't want is for researchers to mess with other users' data. The guy could
have just used two accounts to demo (he managed to create a new account after
his own account was blocked). Using Zucks account doesn't make it more
convincing from a tech perspective. It only makes the guy taken less serious
as most researchers care more about how it works than messing with accounts of
famous people. Not the smartest move. I understand the sec team draws a line
and doesn't pay researchers that mess with other people's data. That's not
sleazy, that's sane otherwise it gets exponentially worse as people try to
outdo each other in terms of impact instead of focusing on explaining the
technique behind a hack.

~~~
lhl
"Using Zucks account doesn't make it more convincing from a tech perspective."
\- In this case, that's obviously false. The guy submitted the bug twice and
the final reply was "This is not a bug." After posting to Zuckerberg's account
it was subsequently fixed.

I'm sure the FB security team triages a lot of bug reports, and a few get away
- hopefully they'll be better about trying to get more info (boiler plate
requesting steps to replicate or a video), but beyond that no harm no foul. I
can also see that they don't want to encourage researchers messing with real
user data. However, if they paid him out and told him in the future, that he
should provide more information and not use real accounts (or not get paid
out, etc), that'd have the same effect (you know, since it already happened)
w/o the bad will generated.

Instead, they didn't pay him, locked his account, and now we're reading that
blog post, not only encouraging him and the people like him in the future to
not submit these bugs in the future (certainly serious enough that it'd be
worth discovering vs being in a 0-day marketplace), but generating way more
visibility for no good reason. It's just not smart.

------
DanBlake
Looks like if you edit facebook in firebug while you are posting a link to
your newsfeed you can change the source userid which is not validated/checked
and gets posted even though you dont have the permission to do it

~~~
dustywusty
This isn't true.

~~~
nemetroid
Obviously you cannot do so any longer as the bug has been fixed, but that
seems like a good description of the exploit as shown in the video.

------
skeletonjelly
Have to agree with everyone here. The first email gives enough information to
base a case on. Enough to simply do a quick search and verify these people
aren't friends. I get less information than this from users for a product we
support, it's frustrating, but if you don't investigate each lead as a
potential you run the risk of having it snowball.

Shame on Facebook for dismissing this guy's reward due to the lazy actions of
one employee. It would have taken one question, or one 5 minute validation of
the claims to make this a non issue.

~~~
davis_m
How does the first email contain enough information to base a case on? All he
says is that he can post links to other people's walls. He makes absolutely no
mention of not being the target's friend.

~~~
skeletonjelly
Hmm well the implication made sense to me. It would have taken a few seconds
to see that these people weren't friends. And all the engineer had to do was
ask at least one question to probe for more information instead of a
dismissal.

Edit: I'm sure Facebook engineers have something a bit more advanced that
this:

[https://www.facebook.com/zuck?and=khalil.shr](https://www.facebook.com/zuck?and=khalil.shr)

This link works if they know each other. Try going to your profile and adding
?and=zuck for instance

------
gary4gar
This obviously is cause of language barrier. It seems bug reporter didn't have
any evil intentions but was just trying to get attention of facebook so this
can be fixed. so I think he should paid. maybe you can ask for an apology for
tampering user data as he was wrong on that part but still he did discover a
valid flaw in facebook's iron clad security.

------
throwawayg99
I submitted a bug to Facebook's whitehat disclosure 3 or 4 months ago. Got no
response whatsoever, except an automated response. The bug still exists. The
bug allows users to post as though they are other users on the timeline. I
think that is pretty serious, but I guess they do not.

------
esailija
I don't think you guys understand. You can't publicly use the exploit and then
back away and use the white hat system after the fact. It clearly shows him
spamming some profile before even making the first contact.

~~~
prawn
Spamming?

Edit: It was a tame music video. On the spectrum of demonstrating to a test
account all the way through to selling his discovered flaw to actual spammers,
I rate this at the low end.

~~~
esailija
It is some link to a youtube video, posted to a public user's facebook wall
through the exploit. That's what the screenshot shows.

------
orf
The guy gave more info on his education than the exploit he was reporting. How
is he surprised that they didn't take him seriously?

~~~
kevingadd
My guess is he thought starting by explaining that he has a CS education would
make them less likely to assume his comment was from an ignorant foreigner.

Unfortunately, that didn't work either.

------
callesgg
My view: If they fixed the "bug"/security hole, credit should be given.

The TOS stuff i think i a bit shity. Partly cause they made him do it(more
than necessary)

------
philliphaydon
So Facebook refuses to pay this guy? So now this white hat hacker will next
time, sell the hack and make a lot more money... Way to go Facebook, you've
fucked up again.

------
speedyapoc
What a terrible way to report a vulnerability. In no emails did Khalil clearly
demonstrate how to reproduce it despite giving "repro steps" which weren't
reproduction steps at all. I understand there is a language barrier but that's
just pathetic.

------
hvass
Of course in hindsight they should have been more diligent, but how many
reports do they receive per day? But I see no excuse for not paying the guy
for finding a serious flaw in their system, especially dismissing it on 'TOS'
grounds.

------
ivanhoe
And they expect people to continue reporting bugs to them? Really?

------
badman_ting
Ugh, they handled his disclosure like such typical dismissive nerds.
Disgraceful.

------
springishere
In my opinion good faith should be taken into consideration here. It sounds
like he didn't understand the TOS as it was not in his native language. This
didn't hurt facebook at all and saved them a lot of trouble. I don't get why
they don't just pay up and say thank you. As well as giving him a copy of the
TOS in Arabic to avoid future misunderstandings.

------
kbar13
Just as your disclosure emails provide almost no information whatsoever, your
blog post was also pretty devoid of useful explanation.

~~~
ethanbond
> I found an exploit, here's proof, but I'm having difficulty conveying
> information due to linguistic barriers.

> Nope that's not a bug.

What did you expect him to do? Learn English on the fly? Conveying specific
technical things is a difficult skill to learn even for native English
speakers.

Sure his communication isn't the best, but neither is "I can't click that
link" nor "This isn't a bug."

~~~
jbroman
But it's reasonable to expect him to say _something_ about how it was done.
Recording a video is one possible method, and one he's evidently capable of.

Pasting a link to a Facebook profile does not explain the exploit.

------
ramigb
Long time ago a friend and me once submitted a whitehat bug that allowed the
user to send messages to anyone even if they disabled messages from non-
friends, i don't think this option still exists but anyways Facebook told us
this wasn't a bug, we didn't even argue, suckers! i now wish i did the Same as
Khalil and recorded the bug.

~~~
merijn481
Well, if you have the email, just reply to it and re-open the conversation and
see what happens. If you can explain it correctly, they might be able to
research if the bug indeed existed and was fixed. I did a follow up on a bug
that I submitted before the whitehat program was in place and that I never got
a response on. They looked up the bug, replied to me and paid me. Very
diligent.

------
jeromeparadis
I had helped a friend report a security vulnerability to Facebook. It was
similar in the sense that it allowed anyone who knew 2 Facebook usernames
(easy to do) to post a private message to someone that would appear to come
from a friend. You didn't even need to be authenticated on Facebook to do it
and could do post it from any machine on the Internet.

At first Facebook was similarly dismissive that it wasn't a bug. My friend
pushed a bit to convince them with additional details and examples of how it
could be easily used for exploits. They finally saw the light. The bug was
fixed and my friend got paid $1K which wasn't much for the bug's seriousness.
In any case it got fixed and my friend got acknowledged so it's OK.

It's a bit of a pity, thought, that they didn't see it to be serious at first.
I would have expected any mediocre engineer to skip a hearth beat when
learning of such a bug in their system.

------
pearjuice
I find it harsh of Facebook that without technical leverage they do not pay
out bounties.

~~~
merijn481
They didn't pay because he messed with other peoples' data. That's a clear no-
go.

~~~
g4ur4v
He couldn't have proved without doing that .

~~~
ceol
He could have made test accounts with appropriate privacy settings. He could
have just told the security team, "Your server does not validate permissions
when posting to walls, so if you change this specific HTML form value to
anyone else's profile ID, it will post to their wall."

~~~
lessnonymous
It's pretty freaking obvious there was a language barrier problem here. He
knew of the whitehat program, but not the ability within it to create test
accounts: he asks the security team to set up a test account so he can post to
it to show them the problem.

------
BenjaminN
Shitty move from facebook, because 1°) this is a major security issue, 2°)
could have done a lot of damages, 3°) who coded this in the first place,
seriously?

Come on guys, just give him the money.

------
stack0v3erfl0w
Can you provide details on how the exploit works? Even in Arabic as am pretty
sure someone will be able to provide a good enough translation for us.

------
capkutay
One on of my issues with FB is that its not easy to report a problem or get
any kind of support (although its a free service). In one day, I lost over 100
facebook friends with no explanation. Its obviously a little humiliating to
have everyone think you defriended them. I hadn't seen the issue before, nor
could I report it anywhere..

------
tzury
I bet posting on Zuck's wall helped awake the WH team as well ..
[http://rt.com/news/facebook-post-exploit-hacker-
zuckerberg-6...](http://rt.com/news/facebook-post-exploit-hacker-
zuckerberg-621/)

------
gedrap
If I was this guy, I would rather say screw it than trying to get attention by
posting to Mark's wall. Given the recent cases in the USA (e.g. he used
wget!!!), Facebook could give a massive slap and sue him. And probably win.

------
uladzislau
Blissful ignorance. Next time guy like this will either do a lot of damage or
sell the exploit to those who will pay.

Every security report should be taken seriously regardless it comes from a
well known expert or just a guy from Palestine.

------
Rygu
To all the commenters that think Facebook should pay this guy: he became "the
guy who hacked Mark Zuckerberg ON Facebook" overnight. I guess that this will
probably open some doors for him, and if not, he's still become famous. :)

Maybe Mark should just hire the guy to replace the initial bug responder.

------
homakov
taking into account fogginess of emails of the researcher and amount of emails
FB whitehat receives daily... I am not surprised they said it's not a bug.

PROTIP: Reports should have PoC and be concise. No information about your
bachelor degree should be attached.

------
din12143
Lets hope that OP doesn't have anymore security vulnerabilities in hand
because if he do, FB will pay the price of not paying him for the first time
:)

------
vxNsr
Well the good news is that in the end he'll probably get something because of
all the ruckus we've made! So good job peeps!

------
harel
That is discouraging further reports... You should get paid Khalil. Hope it
all works out.

------
loceng
Did someone post this to Reddit yet? This guy should get the bounty.

~~~
dguido
Yes, and they have a wildly different opinion than HN:

[http://www.reddit.com/r/netsec/comments/1kkvei/user_reports_...](http://www.reddit.com/r/netsec/comments/1kkvei/user_reports_security_bug_to_facebook_after_user/)

~~~
loceng
Well, since you seem to have a top comment there - you don't see an error in
the way the initial security responses were? Why didn't they guide him into
providing the information they needed, to ask him specifically? Or point him
out to the whitehat program, etc? They have no responsibility there - is that
what you're implying?

------
swamp40
So, how much money did he miss out on?

------
asitkumar
that's what happens when mr zuckerberg don't listen :P

------
weakwire
or hire the guy. "Job : unemployee :/"

------
walid
ابضاي يا ابن بلدي

------
corresation
Unfortunate situation, but I suspect that the overwhelming majority of HN
would have dismissed this out of hand (though it is perfect hindsight to now
say they should have worked harder, etc). It reads like minimal-effort
ramblings.

