For background, as a few other commenters have pointed out, we get hundreds of reports every day. Many of our best reports come from people whose English isn't great - though this can be challenging, it's something we work with just fine and we have paid out over $1 million to hundreds of reporters. However, many of the reports we get are nonsense or misguided, and even those (if you enter a password then view-source, you can access the password! When you submit a password, it's sent in the clear over HTTPS!) provide some modicum of reproduction instructions. We should have pushed back asking for more details here.
However, the more important issue here is with how the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behavior for a white hat. We allow researchers to create test accounts here: https://www.facebook.com/whitehat/accounts/ to help facilitate responsible research and testing. In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent.
As you can see at https://www.facebook.com/whitehat, in order to qualify for a payout you must "make a good faith effort to avoid privacy violations" and "use a test account instead of a real account when investigating bugs. When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing. Do not interact with other accounts without the consent of their owners." Unfortunately, the OP did neither of those things. We welcome and will pay out for future reports from him (and anyone else!) if they're found and demonstrated within these guidelines.
I just looked at it, then switched Facebook to Arabic and the TOS is magically still in English (edit - and right aligned really badly as the page evidently expects arabic). If you demand that the TOS is followed by people who do not have English as a first language, try offering a translation.
This guy has done you all a service. The chances are that he may not have been able to clearly read the TOS that you wish him to abide by. He should get paid.
edit - hmm, was about to check the situation with other languages, however now all the buttons are in arabic so I stopped bothering after the fourth random page.
However, it seems that if you don't give them any clues in your report, they'll close their eyes and won't investigate carefully that possibility.
Lesson learned: Find a security hole, report it to Facebook, and they don't respond after two attempts? Sell it as a zero day.
Incentives matter. And there is always money to be had somewhere else.
When an employee whose job it is to evaluate security issues says "this is not a bug", that determination carries the force of law the same way as if it appeared in the TOS. You cannot rely on people to follow some nebulous "spirit of the TOS" when meanwhile your employees have already made a contrary specific determination for how it applies to this particular bug.
"You will not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission.
You will not create more than one personal account."
"Please use a test account instead of a real account when investigating security vulnerabilities. When you are unable to reproduce a security vulnerability with a test account, it is acceptable to use a real account, except for automated testing."
It's translated. I believe it requires you to be in a local to get this page to display automatically. It certainly exists for people creating accounts in arabic, and absolutely includes the relevant lines.
Obviously I don't love the end outcome, and this would have gone better for all parties if he had used a test account and included some kind of repro instructions (like that video) in the initial report.
Clearly, but that's not really something you can control. From your perspective, the other side of the tradeoff with "hurting real user accounts" is "leaving open a huge security hole", not "being mean to whitehats when they screw up". I don't disagree that the guidelines seem quite reasonable prima facie and perfectly fair to to the whitehat in some moral sense, but it's unclear if they're actually working. It boils down to, if you had to choose between finding out about this security hole the way you did or not find out about it at all, which would you choose? How many not-quite-so-aggressive versions of this guy are out there, and how many holes are you leaving on the table? Edited to add: If an important way of finding vulnerabilities is people breaking the rules, then the rules suck, regardless of their intrinsic fairness.
It could well be that keeping not-great-communicator/guideline-follower whitehats from reporting some number of bugs through questionable means is actually worth those flaws sticking around. Of course I don't see the daily flow of vulnerability reports to FB (or all the ones that don't ever get reported), so I don't know. But it sounds like a harder question than you make it out to be.
We all know this person had good intentions. But good intentions aren't always enough. Facebook doesn't appear to be freaking out at him. They just can't pay him for having demonstrated a vulnerability by hacking someone's account.
This is like... the textbook definition of a hack.
> however if you have a human making decisions, and not just a drone following written orders, then the ability to make compromises exist. Just no one at Facebook wants to engage and be human it seems.
I love that this statement is downthread of a Facebook engineer's comment that states he considers the guidelines reasonable. It's as if you're just a drone following written orders without the ability to make compromises.
>This is like... the textbook definition of a hack.
Perhaps of "hacking FB", but he didn't "hack an account".
I don't see what the problems are for FB here. They have a moral obligation to reward him for reporting this bug, especially since their ToS are apparently not available in Arabic. Claiming that he showed any sort of malicious/inappropriate behavior is a really bad tactic to save some money when they clearly handled this very badly from the start, while his intentions were obviously good.
All they are achieving by reacting this way (including the apologets) is that next time, such people will just sell their exploits on the blackhat market.
The blackhat market for Facebook exploits is not huge because the product is centrally controlled and can be patched at any time. It's not like 0-days for products with individual installations that aren't centrally controlled with forced updates - those are clearly valuable.
re: reason; where does his reason come into play? It does not seem reasonable to post to M.Z.'s timeline, I'd guess he did that because he was P.O.ed at being dis'ed by the support people.
In the bureaucratic theory I am aware, if you have rules (policies, proceudres, standards etc.) you need to apply them consistently. Sometimes the rule will allow for discretion, sometimes not. I don't see room for discretion here.
Yeah, rules that don't take into account reason are inhumane. Similarly why we don't just give everyone 10 years in prison because they committed a crime - you take into account all aspects - and not just apply "oh but he committed a crime, so this is the result."
No one said anything about a crime. Denial of the bounty is not brutal.
> They just can't pay him for having demonstrated a vulnerability by hacking someone's account.
I don't see why that is. They already provide the following caveat:
> When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing.
So I don't think there's some kind of legal issue there, if that's what you mean. And you could provide other caveats, like, "you can use a real account if no one is listening to you" (I grant that this may not have helped here either).
I'll reiterate what I said above, which is that the policy is fine, as long as everyone recognizes that it has a strong potential to reduce the security of Facebook. And that ought to raise some sort of alarm, right?
However, it also sounds to me like an opportunity for a bug / exploit reporting proxy business that validates, reproduces, and polishes reports in bulk. You most certainly could extract a much higher bounty per report.
I'm no fan of Facebook, but even I can see why they can't ever encourage such irresponsible behaviour.
1) Lots and lots of negative press. (we wouldn't talk about this if this wasn't true)
2) Embarassing the CEO of a company and thereby also hurting the reputation of his company
3) And on top of that he breached his privacy
And you still think that they treated him too harsh by withholding payment?
I mean couldn't he have waited a few more days or reopen the ticket - or maybe just use Facebooks test accounts?
It's not like he waited for ages, he brought this bug to attention last friday.
But yeah, waiting a whole weekend was probably too much for him to take, so he obviously had to post on MZs wall.
In the appropriate language: https://news.ycombinator.com/item?id=6231153
Otherwise, you should make some good faith effort to not assume devious intentions on someone making a good faith effort to report problems.
> They just can't pay him for having demonstrated a vulnerability by hacking someone's account.
Technically, according to the security person at Facebook, it wasn't a bug. When he did the same thing again on Mark Z's account, it suddenly became hacking. Yeah, he didn't follow a procedure that wasn't available to him in his native language, but he made a good faith attempt to report the bug, and did so several times.
> But good intentions aren't always enough.
Several attempts to contact them despite being told the actions he was taken was not a bug despite clearly explaining why it was?
If only you could do something about it to make the end outcome more ideal.
You should be rewarding him, not discouraging him.
I know arguing with someone as stubborn as you is useless, but what can I say?
He stumbled around a bit trying to work out how to help, but he brought a flaw to your attention in what he thought was a polite way. If unleashed, this bug could've been used to wreak havoc on Facebook and damage the company's reputation. $500 is the very least FB should be paying.
If they bothered to look at his profile (it's public), they'd see he looks to be a great fan and tinkerer on the Facebook platform.
Suppose I hacked into a bank and stole money from some account. Would the person whose account was hacked be able to have some legal recourse against me? I'd imagine it would be the bank.
If this is the case, then surely facebook could just choose not to press charges, and if so, what would be unlawful paying him in that case?
They might even throw a little fanfare his/her way to send a message that the bank appreciates being told and not robbed blind. (Especially given that they're a "community bank" built by pioneers and not a monolithic marble statue institution :-P)
Which leads me to believe most people commenting are not doing so with an actual understanding of the situation, and are instead viewing this solely as Big Bad Facebook vs innocent hacker.
You're acting as if there's no precedent implicated in Facebook learning of someone violating both their normal ToS and the terms of their bug bounty program by compromising someone else's account, and then paying them a reward.
You're wrong about that.
Saying someone fucked with another person's account implies otherwise.
Consider what motivates people more deeply.
Thinking otherwise might be idiotic too, but that's besides the point.
At the moment the loud and clear message is that there are far more welcome places than Facebook to report found issues.
Additionally, if you're not logged-in, then the test accounts page doesn't work. It redirects to the same page as facebook.com/whitehat, with no notification that the test accounts page even exists.
You should really pay him.
The right thing to do is add Khalil to the white hat list, and pay him what he deserves. He doesn't speak or read English as you have noticed. Your TOS for white hat page is NOT even translatable.
He used real accounts because your team did not care what he had to say. What do you think he should have done? Sell it to the black market?
But couldn't your team be a bit grateful? Though he did post to Zuck's account, he didn't sell the vulnerability as a zero day on the black market, no?
A cheap insurance policy, making the payout, cultivating trust with white hats who are nonetheless decidedly a bit bone headed (if not well meaning).
Alright, here's a preemptive question for you then.
Should a logged in user be able to retrieve the email addresses of an arbitrary friend, regardless of their contact privacy setting being set to "only me"?
You all are lucky that people are sharing this stuff with you guys for $500 instead of on the black market for much more. You're also lucky that people are doing the job that highly-paid Facebook engineers should have done. And if I read between the lines of your post, you and your team think that you're pretty clever.
The right thing to do is to cut this guy a check for $500 and keep your mouth shut, before people stop reporting security bugs to you.
I know I'm already discouraged--if I find anything, the last thing I want to deal with is a mediocre engineer telling me I didn't fill out the TPS form the right way.
the language barriers are enough to justify any mistakes made in conforming precisely with the t&cs. he didn't abuse the hack. he reported it to you. pay him tbh.
"So when a security researcher named Khalil Shreateh from Palestine found a bug that let him post stuff to other people's Walls, he reported it to Facebook.
That bug is a spammer's dream. To prove his bug was real, Shreateh posted something to Sarah Goodin's wall, a friend of Facebook CEO Mark Zuckerberg.
He then contacted Facebook's security team with the proof that his bug was real, he explained in a lengthy blog post.
Facebook has a bounty program where it pays people to report bugs instead of using them or selling them on the black market. In this case, instead of fixing the bug and paying the researcher the $500+ fee, Facebook told him "this was not a bug," according to an email that
Shreateh says he tried a second time to warn Facebook and when that didn't work, he used the bug to post a message to Mark Zuckerberg's Wall."
You discover a bug on FB just by being a normal user not a "whitehat" security user:
* You discovered it by doing "something" to someone else account --> FB will not pay : SELL on black market.
* You think the bug isn't really a bug but then it happens again --> FB will not pay : SELL on black market.
* You have a life that you don't want to waste with reading through legalese and filling out forms. FB says it is not a bug. Maybe they are right? You don't want to spend the time arguing about it over email --> SELL on black market
* You are not a lawyer, or do not do security testing full-time on FB. Or you are a normal user who has not kept on the FB ToS now that we are on the 100 billionth version --> You probably did something wrong. --> FB will not pay : SELL on black market.
* You are a US citizen and do not want to be charged with CFAA violations as a hacker --> SELL on black market.
FB might give you some money.
For a better PR, pay him and use this case as an example to teach the future whitehats. FB has low esteem for a reason.
It's pretty arrogant of Facebook to redefine the meaning of white hat don't you think? Posting to the Facebook founders page to let them know of a security vulnerability is not malicious, plain and simply, not. Trying to steer the embarrassment of your failings because this guy didn't read your TOS is incredibly hypocritical.
Plus i am very sure, the mistake was on Facebook ends in the first place. I experienced it myself: Since 6 month now i try that Facebook take action, because the break of privacy issues and violation of Facebook terms by a Facebook user - i even not give an response on any channel in tried.
If you really do not give him his reward for the Report and keep you informed, than this is extremely unfair from facebook end. IN this case i strongly recommend WhiteHat Hackers in future cases: Do not count on Facebook Team, publish bugs and security issues on Blogs. Obviously the Facebook team give priority not based if a problem is urgent, only how "public" it is.
In addition to all of that, it's the right thing to do.
You stay classy Facebook.
Shows how many issues there should be that are not taken into account.
BTW: English not being the primary language for these folks has not to do with anything, shows how much stereotype there's in being American or not. It's a global world, wake up!
That being said I think Facebook could have given the reward and a slap on the wrist at the same time considering the language barrier.
So each reporter received approx. $1000? That's all?... Heh, Facebook is very greedy company.