Print 27 comment(s) - last by Totally.. on Aug 23 at 5:03 AM

Popular social network claims hacker's poor English language skills disqualify him from receiving an award

Social networking giant Facebook, Inc. (FB) is mired in a new controversy, this time dealing with bugs in its network and their privacy ramifications.

I. "This is Not a Bug"

The story begins with a Palestinian information systems expert named Khalil who last week discovered a bug in the social network that allowed him to post to anyone's wall -- including those he wasn't friends with.  This is a pretty big deal as one of Facebook's key curbs to spammers is that you must be friends with people, by default, to post to their walls (and users can even further limit their walls so that only certain close friends can post, with the right settings tweaks).

He filed the bug report to the proper channel --" rel="nofollow -- hoping to get paid.  But a Facebook engineer replied to him that when they clicked the link they only got an error:

Facebook flaw -- bug report

Frustrated, he sent another bug report, only to be told by Facebook Security Engineer "Emrakul", "I am sorry this is not a bug."

So the security researcher took matters into his own hands posting on a user's wall that he knew would draw attention -- Facebook CEO Mark Zuckerberg.  He wrote in a friendly tone, providing a PasteBin to a detailed log of his interactions with Facebook engineers via a bug report system:

Facebook flaw -- Zuckerberg wall post

II. Okay, Maybe it is a Bug

The post certainly attracted attention.  Within minutes he was contacted by a security team member, Facebook engineer Ola Okelola. But Facebook didn't exactly greet his disclosure with open arms.  The company suspended his account temporarily for posting on Zuck's wall.

While they eventually reinstated his account, Facebook ultimately refused to pay the $500 USD bounty that a bug report typically carries.  MK Jones -- a Facebook engineer -- defends this decision in a Ycombinator forums post, first offering a roundabout jab at the reporter's English, commenting:

For background, as a few other commenters have pointed out, we get hundreds of reports every day. Many of our best reports come from people whose English isn't great - though this can be challenging, it's something we work with just fine and we have paid out over $1 million to hundreds of reporters. However, many of the reports we get are nonsense or misguided, and even those (if you enter a password then view-source, you can access the password! When you submit a password, it's sent in the clear over HTTPS!) provide some modicum of reproduction instructions. We should have pushed back asking for more details here.

Facebook money
There will be no pay day for Mr. Khalil from Facebook. [Image Source: Zagg]

Mr. Jones goes on to write:

As you can see at" rel="nofollow, in order to qualify for a payout you must "make a good faith effort to avoid privacy violations" and "use a test account instead of a real account when investigating bugs. When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing. Do not interact with other accounts without the consent of their owners." Unfortunately, the OP did neither of those things. We welcome and will pay out for future reports from him (and anyone else!) if they're found and demonstrated within these guidelines.

But that argument is clearly flawed, in that Facebook's staff had told him "this is not a bug".  As one commenter on Mr. Khalil's blog puts it:

They told him flat out when he reported it "this is not a bug" they didn't ask for more info or anything. He post on zuck's page then it becomes a bug but he violated TOS.. That's a no win right there.

Mr. Jones did offer this halfhearted apology:

To be clear, we fixed this bug on Thursday. The OP is correct that we should have asked for additional repro instructions after his initial report. Unfortunately, all he submitted was a link to the post he'd already made (on a real account whose consent he did not have - violating our ToS and responsible disclosure policy), saying that "the bug allow facebook users to share links to other facebook users". Had he included the video initially, we would have caught this much more quickly.

But so far there's been no indication that Facebook is willing to dish out the $4,000 it normally gives for severe bug reports.  

III. Facebook is Setting a Dangerous Precedent With Response

IndieGogo campaign has been started to pay Mr. Khalil the amount that Facebook shorted him, considering he did disclose in a relatively responsible way a bug which could have brought him big cash from spammers.

The whole experience can be viewed as a cautionary tale to security experts -- particularly foreign ones.  While Facebook has indeed paid out $1M+ USD for bug reports (the equivalent of 2,000 smaller bugs which offer a $500 bounty, or 250 bigger ones), it also at times has refused to acknowledge certain bugs or arbitrarily denied reporters their bounties.  These scenarios will certainly drive some to full disclosure out of frustration, although few full disclosures will be as flashy or carefully documents as Mr. Khalil's.

Facebook can choose not to pay researchers, but it must beware alienating the community. [Image Source: Getty Images/modifications Jason Mick]

Yes, Mr. Khalil could be interpreted to be in violation of Facebook's ToS.  But it's a black eye to the security program to not pay him, when he kept details of the vulnerability private, acted politely throughout the entire disclosure, and even first tried to go through official channels.  It's Facebook's decision not to pay him, but it's the kind of decision that may cost the company in the long run, by stifling responsible disclosure.

It should be noted this is not the first time a bug has been applied at Mark Zuckerberg's Facebook account.  Previously, a bug had outed his private photos, revealing his budding romance with Priscilla Chan and his passion for hunting -- which in turn gave rise to the "Kill what you eat" meme.

Sources: Khalil on Blogspot, Facebook on Ycombinator, Reward Khalil on IndieGogo

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

WTF Facebook
By techxx on 8/19/2013 3:07:12 PM , Rating: 5
Talk about stingy coming from a multi-billion dollar company... pay the guy!

RE: WTF Facebook
By xti on 8/19/13, Rating: -1
RE: WTF Facebook
By bodar on 8/19/2013 8:37:25 PM , Rating: 2
Language issues aside, you would think someone with a degree in info systems would know how to file a bug report, showing steps to reproduce it, not just "here's a link to a wall post I made to someone who is not my friend."

As the article says though, FB is setting a crappy precedent by not paying him, however. If they welch on paying for a legit bug just because Zuckerberg got embarrassed, they throw away the trust of not just Khalil, but other security researchers. No one likes working for free.

RE: WTF Facebook
By xti on 8/20/2013 12:40:19 PM , Rating: 2
thats the FB setting a crappy precedent by not paying him when they have paid hundreds or even thousands of others? People love drama so I could see how the 1 outweighs the many, but wow.

it sucks because this could turn out that this 1 is gonna ruin it for all.

RE: WTF Facebook
By AntDX316 on 8/22/2013 2:19:35 AM , Rating: 2
I think the purpose is to get more attention to this matter. He will probably give the information to massive hackers which would cause major havoc in the important business lines. Then after, major security team facebook people will make ways for it to never work perhaps invest millions to make it happen. It won't get ultra bad enough to takedown facebook but just bad enough for it to happen because facebook doesn't seem to care that much about having preventive measures to protect peoples vital reputations which lead to eternal fatalism.

RE: WTF Facebook
By Totally on 8/23/2013 5:03:13 AM , Rating: 2
The exploiy has already been patched according to another article.

RE: WTF Facebook
By anactoraaron on 8/19/2013 5:09:47 PM , Rating: 1
Had FB not gone public then maybe the guy would have got something. But try explaining that to a bunch of greedy A-hole shareholders that care nothing about the company they are responsible for.

"Security vulnerability?" "What the hell is that, and will it make us money?"

"No, it's not like that, it's just someone looking for a handout."

"Oh." "Another one of those." "Ignore him, he'll go away."

"What about the security thing?"

"Can we use it to increase ad revenue?"

"Well, maybe... I'm not a technical person..."

"Keep it in there until we find out if this can make us any more money."

Case closed.

RE: WTF Facebook
By ebakke on 8/19/2013 5:37:20 PM , Rating: 2
Do you try to maximize your lot in life? Do you try to generate as much income as you can? If so, do you also attempt to take advantage of other people in the process?

If not, why is that you assume others do? Are you the only caring individual in the world?

RE: WTF Facebook
By ammaross on 8/20/2013 10:38:38 AM , Rating: 2
Just because a lowly commentard on here (who is 99.99999% not likely to be on a board of shareholders) is not willing to trample on others to get ahead in life, doesn't mean that some/most/all (insert your own personal view) who are currently ahead in life didn't already do so to get there.

RE: WTF Facebook
By xti on 8/20/2013 12:42:06 PM , Rating: 2
yeah, i would totally do it. I can feel bad about it when im dead.

RE: WTF Facebook
By ebakke on 8/20/2013 1:32:00 PM , Rating: 2
doesn't mean that some/most [...] who are currently ahead in life didn't already do so to get there.
Of course it doesn't. Which is why I didn't claim it did.

And now...
By Marlin1975 on 8/19/2013 3:12:17 PM , Rating: 5
And now it just tells people its probably better to sell the bug you find then try and get the bounty from facebook. Good to know. ;)

/Unintended consequences

RE: And now...
By drycrust3 on 8/19/2013 6:07:45 PM , Rating: 5
Especially if you happen to not be an American. $500 could well be at least a month's pay for some of these guys, so to try to go through the right channels ... I think Facebook's official process is really meant so they can wriggle out of paying ... then get told "Go away, we're not paying you a cent because you proved your point" after they've closed the hole in the system would really hurt.
So now the lesson is go to some group with a gripe against Americans because they will pay in advance, they'll pay better, and when the hole is closed you will still have your Facebook account.

500-4000$ ????
By ReloadAO on 8/19/2013 7:21:53 PM , Rating: 2
Is it worth? If he sold this out to spammer he could have made 10 times.

FB should reconsider this.

RE: 500-4000$ ????
By maugrimtr on 8/20/2013 8:40:13 AM , Rating: 4
They're striking this guy by being overly strict. He obviously intended no harm, tried to report it, and finally went for the CEO. His honest persistence should be rewarded.

Sure, his English is not great, and he technically broke the FB terms in not using test accounts, but you can scratch that off due to ignorance.

Man deserves his $500. It was an extremely significant vulnerability.

By drycrust3 on 8/19/2013 3:15:37 PM , Rating: 2
But it's a black eye to the security program to not pay him, when he kept details of the vulnerability private, acted politely throughout the entire disclosure, and even first tried to go through official channels.

Facebook is different from a large number of other companies in that its value is almost soley related to how internet users value it. If users believed there was no more privacy here than in a school playground and they closed their accounts in droves and turned to some other social media website, then I think Facebook's value would drop very fast, and the drop would be greater than the amount of users who left, e.g. if say 0.1% of users left over this, I think this would wipe several dollars off the value of Facebook shares (currently around $38.00 per share), resulting in a devaluing of the company by several billion.
This bug isn't just about being able to write on every user's wall, it is how this threatens the value of a $15B company (well, that is the value according to Wikipedia), and how Facebook values protecting their shareholders' investment.
To me, paying $500 to protect the value of shares would have been a smart move; and to not pay the $500 is a dumb move because it tells other hackers to shop elsewhere first to see who would pay better, e.g. Saatchi and Saatchi would probably have paid at least $500 for this bug.

Next time
By SteelRing on 8/19/2013 6:33:23 PM , Rating: 2
Please remind me and everyone else in the world to sell your exploit to the highest bidder next time.

I bet they'd pay more than a few grand for an exploit to spam everyone's wall..... LOL.....

By Mike Acker on 8/20/2013 8:54:44 AM , Rating: 2
next hack will probably be reported on 4Chan

By p05esto on 8/21/2013 4:11:23 PM , Rating: 2
bite me facebook. Who still uses this stupid self masturbation service?

Nice work
By amypaige654 on 8/21/2013 4:52:11 PM , Rating: 2

Searching for a way to earn money online ? Just give a click to this site and enjoy benefits of earning at home. Earning at home made possible with a little effort. ...

By DigitalFreak on 8/19/13, Rating: -1
RE: Because...
By NellyFromMA on 8/19/2013 2:40:09 PM , Rating: 2
If only his name was John.

RE: Because...
By ClownPuncher on 8/19/2013 3:20:54 PM , Rating: 2
Yes, this is clearly an issue of the ongoing Jew vs. Palestinian struggle...

RE: Because...
By Samus on 8/19/2013 5:21:44 PM , Rating: 2
If Facebook wants to be considered an international company, they they shouldn't consider Palestine an enemy. They have a lot of users there (and in many other territories that might be considered enemies-of-the-state) and they profit from those users existing on Facebook.

This is a really crappy deal for this guy. He did everything right.

RE: Because...
By ClownPuncher on 8/19/2013 5:51:45 PM , Rating: 2
I doubt Zuckerberg cares too much. I was just being silly.

RE: Because...
By Captain Awesome on 8/19/2013 8:52:59 PM , Rating: 2
There is nothing silly about punching clowns!

By shannaemoon on 8/19/13, Rating: -1
"Game reviewers fought each other to write the most glowing coverage possible for the powerhouse Sony, MS systems. Reviewers flipped coins to see who would review the Nintendo Wii. The losers got stuck with the job." -- Andy Marken

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki