Facebook Ignores Hacker's Bug Report, Then Refuses to Pay Him
August 19, 2013 2:03 PM
Popular social network claims hacker's poor English language skills disqualify him from receiving an award
Social networking giant Facebook, Inc. (
) is mired in a new controversy, this time dealing with
bugs in its network and their privacy ramifications
I. "This is Not a Bug"
The story begins with a Palestinian information systems expert named
who last week discovered a bug in the social network that allowed him to post to anyone's wall -- including those he wasn't friends with. This is a pretty big deal as one of Facebook's
key curbs to spammers
is that you must be friends with people, by default, to post to their walls (and users can even further limit their walls so that only certain close friends can post, with the right settings tweaks).
He filed the bug report to the proper channel --
-- hoping to get paid. But a Facebook engineer replied to him that when they clicked the link they only got an error:
Frustrated, he sent another bug report, only to be told by Facebook Security Engineer "Emrakul", "I am sorry this is not a bug."
So the security researcher took matters into his own hands posting on a user's wall that he knew would draw attention -- Facebook CEO Mark Zuckerberg. He wrote in a friendly tone, providing a PasteBin to a detailed log of his interactions with Facebook engineers via a bug report system:
II. Okay, Maybe it
The post certainly attracted attention. Within minutes he was contacted by a security team member, Facebook engineer
. But Facebook didn't exactly greet his disclosure with open arms. The company suspended his account temporarily for posting on Zuck's wall.
While they eventually reinstated his account, Facebook ultimately refused to pay the $500 USD bounty that a bug report typically carries.
-- a Facebook engineer -- defends this decision in a Ycombinator forums post, first offering a roundabout jab at the reporter's English, commenting:
For background, as a few other commenters have pointed out, we get hundreds of reports every day. Many of our best reports come from people whose English isn't great - though this can be challenging, it's something we work with just fine and we have paid out over $1 million to hundreds of reporters. However, many of the reports we get are nonsense or misguided, and even those (if you enter a password then view-source, you can access the password! When you submit a password, it's sent in the clear over HTTPS!) provide some modicum of reproduction instructions. We should have pushed back asking for more details here.
There will be no pay day for Mr. Khalil from Facebook. [Image Source: Zagg]
Mr. Jones goes on to write:
As you can see at
, in order to qualify for a payout you must "make a good faith effort to avoid privacy violations" and "use a test account instead of a real account when investigating bugs. When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing. Do not interact with other accounts without the consent of their owners." Unfortunately, the OP did neither of those things. We welcome and will pay out for future reports from him (and anyone else!) if they're found and demonstrated within these guidelines.
But that argument is clearly flawed, in that Facebook's staff had told him "this is not a bug". As one commenter on Mr. Khalil's blog puts it:
They told him flat out when he reported it "this is not a bug" they didn't ask for more info or anything. He post on zuck's page then it becomes a bug but he violated TOS.. That's a no win right there.
Mr. Jones did offer this halfhearted apology:
To be clear, we fixed this bug on Thursday. The OP is correct that we should have asked for additional repro instructions after his initial report. Unfortunately, all he submitted was a link to the post he'd already made (on a real account whose consent he did not have - violating our ToS and responsible disclosure policy), saying that "the bug allow facebook users to share links to other facebook users". Had he included the video initially, we would have caught this much more quickly.
But so far there's been no indication that Facebook is willing to dish out the $4,000 it normally gives for severe bug reports.
III. Facebook is Setting a Dangerous Precedent With Response
has been started to pay Mr. Khalil the amount that Facebook shorted him, considering he did disclose in a relatively responsible way a bug which could have brought him big cash from spammers.
The whole experience can be viewed as a cautionary tale to security experts -- particularly foreign ones. While Facebook has indeed paid out $1M+ USD for bug reports (the equivalent of 2,000 smaller bugs which offer a $500 bounty, or 250 bigger ones), it also at times has refused to acknowledge certain bugs or arbitrarily denied reporters their bounties. These scenarios will certainly drive some to full disclosure out of frustration, although few full disclosures will be as flashy or carefully documents as Mr. Khalil's.
Facebook can choose not to pay researchers, but it must beware alienating the community. [Image Source: Getty Images/modifications Jason Mick]
Yes, Mr. Khalil could be interpreted to be in violation of Facebook's ToS. But it's a black eye to the security program to not pay him, when he kept details of the vulnerability private, acted politely throughout the entire disclosure, and even first tried to go through official channels. It's Facebook's decision not to pay him, but it's the kind of decision that may cost the company in the long run, by stifling responsible disclosure.
It should be noted this is not the first time a bug has been applied at Mark Zuckerberg's Facebook account. Previously, a bug had
outed his private photos
, revealing his budding romance with Priscilla Chan and his passion for hunting -- which in turn gave rise to the "
Kill what you eat
Khalil on Blogspot
Facebook on Ycombinator
Reward Khalil on IndieGogo
"The Space Elevator will be built about 50 years after everyone stops laughing" -- Sir Arthur C. Clarke
Quick Note: Facebook Unveils Year-Long Data Breach of User Phone Numbers, Email Addresses
June 24, 2013, 10:54 AM
Facebook Bug Reveals Zuckerberg's Private Photos
December 6, 2011, 9:07 PM
Facebook Wins $873M Judgment Against Spammer
November 26, 2008, 9:03 AM
Are You in the Market for Earphones?
March 24, 2017, 7:35 AM
Samsung Galaxy S8, Rumored Launch Date!
March 18, 2017, 6:45 AM
How about Leica Cameras
March 13, 2017, 6:30 AM
Nokia has ditched this camera technology in its new smartphones
March 7, 2017, 8:45 AM
A Baseball Cap With Camera
March 3, 2017, 7:00 AM
Nokia 3310 with longer battery life
February 28, 2017, 7:05 AM
Most Popular Articles
Comparison – Samsung Galaxy TabPro S Vs Microsoft Surface Pro 4
March 21, 2017, 7:40 AM
Apple iPad – New Faster Processor and More Fun
March 22, 2017, 7:25 AM
Gigabyte GA-Z170X-Gaming G1 – Intel Thunderbolt 3 Certified Motherboard
March 9, 2017, 6:25 AM
Huawei P8 Lite 2017 – Android 7 Nougat Smartphone with Octa-Core Processor
March 8, 2017, 7:03 AM
Lenovo ThinkPad T460 - Ultra-Thin and Feather-light
March 3, 2017, 6:00 AM
Latest Blog Posts
Are you thinking of performance and speed? Intel claims:
Mar 25, 2017, 7:45 AM
Apple buys an automation app called Workflow. The deal was completed today and brings the app along with its developers.
Mar 23, 2017, 7:35 AM
Apple Announces new color for iPhones and iPads
Mar 22, 2017, 7:45 AM
Instagram: You Can Now Save Live Videos For Later
Mar 21, 2017, 7:49 AM
Samsung Galaxy S8 to Get New Color Scheme
Mar 20, 2017, 7:45 AM
What else to worry about?
Mar 17, 2017, 6:45 AM
Icon of the Day: Intel/ NVIDIA or Mobileye
Mar 16, 2017, 6:15 AM
JUST IN - Twitter Hijacked : High-Profile Account Accesses
Mar 15, 2017, 7:07 AM
Mar 14, 2017, 7:30 AM
News and Tips
Mar 13, 2017, 6:30 AM
iPhone 8 – May Not Get Curved Screen
Mar 11, 2017, 8:00 AM
California paves way to self-driving car tests without humans
Mar 11, 2017, 7:18 AM
Smart Machines V hackers
Mar 10, 2017, 7:00 AM
Uber Can Resume Autonomous Car Testing in California
Mar 9, 2017, 6:50 AM
Mar 8, 2017, 7:09 AM
Mar 7, 2017, 8:45 AM
World news 3-6
Mar 6, 2017, 5:40 AM
Mar 4, 2017, 7:40 AM
Mixed News of the Day
Mar 4, 2017, 6:32 AM
Jaguar Land Rover invests in ride-sharing
Mar 3, 2017, 7:00 AM
Mixed News of The World:
Mar 2, 2017, 7:02 AM
World New 3-1
Mar 1, 2017, 6:30 AM
More Blog Posts
Copyright 2017 DailyTech LLC. -
Terms, Conditions & Privacy Information