
Facebook cancelled a student's internship after he highlighted privacy issue - ladzoppelin
http://www.msn.com/en-us/news/itinsider/facebook-cancels-internship-after-student-flags-privacy-flaw/ar-BBlHH1a?ocid=spartandhp&pfr=1
======
jcr
discussion:
[https://news.ycombinator.com/item?id=10051613](https://news.ycombinator.com/item?id=10051613)

------
apetresc
That seems fine. This wasn't a responsible security disclosure, they're not
punishing a whistleblower. Publishing an extension to the Chrome Web Store
that lets anyone exploit the bug is NOT the responsible way for anyone to
"highlight" a security issue unless normal channels have repeatedly failed
(which was not the case here), let alone someone who is working for them.

~~~
nadams
> Publishing an extension to the Chrome Web Store that lets anyone exploit the
> bug is NOT the responsible way for anyone to "highlight" a security issue
> unless normal channels have repeatedly failed

I think that's the core behind responsible disclosure. If I was management at
facebook - I would be perfectly fine if he published a paper about it after we
patched the bug (in fact I would encourage him to do it) - but not create an
exploit allowing N number of people to use it then tell me about it.

Edit: changing point of view

If someone told me about an exploit in one of my sites - I might even pay him
a small reward.

There is of course those who are completely out of touch with reality and
completely ignore legit issues. Never forget the Super Meat Boy incident of
2010 [1]. That has actually made me stop playing their games - because it
makes me uneasy to think they were sitting in the kitchen table or office and
thinking "it would be a great idea if we connected directly a MySQL server to
query custom level data!" \- and not at least find someone to bounce that off
of to wonder why other people aren't doing that.

[1]
[http://forums.somethingawful.com/showthread.php?noseen=0&thr...](http://forums.somethingawful.com/showthread.php?noseen=0&threadid=2803713&pagenumber=258#post398884189)

------
verroq
Why would he apply to work for Facebook if he cared about privacy anyway?

------
asdrty
Facebook should probably also get sued... I have trouble to believe that this
was not intentional on their part since there is a setting to share or not to
share your location.

------
CHY872
Seems silly to needlessly antagonise your future employer?

I mean, it's a cool hack, but common sense seems to have gone out the window.

------
27182818284
Seems unlikely given that they pay out thousands of dollars for security
glitches? huh.

------
mindcrime
I'm sure the kid will be OK. And maybe he can find somewhere better to work
than Facebook now. I mean, who wants to spend their life working on helping
find better ways to mine people's personal information to help make better ads
anyway? Sure FB have some interesting technical challenges and they do release
a lot of code as OSS, which is good. But they're not exactly a "cool" company.

------
Tloewald
<snark>Luckily msn is here to report on big companies that invade our privacy
that aren't Microsoft.</snark>

~~~
smoyer
I too enjoyed a bit of that delicious irony!

In other news, Facebook is actively looking to purchase a global news
organization so that they can report on Google's privacy violations - insiders
say it's not Fox News. Completing the circle, Google's move to Alphabet allows
them greater freedom to create their own news agency. Due to long periods of
dog-fooding followed by eternal beta programs, pundits expect Googles service
to reach general availability sometime in the fourth millenium.

