A security researcher demonstrated an exploit to Facebook in a very direct way – he used the bug to post directly to Mark Zuckerberg’s Facebook wall. Facebook responded by briefly deactivating his account, and issuing a statement saying he would not be paid.
“Dear Mark Zuckerberg,” Khalil Shreateh, 21, wrote on Zuckerberg’s wall.”First sorry for breaking your privacy and post to your wall, i had no other choice to make after all the reports i sent to Facebook team. My name is Khalil from Palestine.” Shreateh detailed the events in a blog post.
Shreateh claims that his “reward” was to have his Facebook account deactivated briefly, and a message from Facebook staff saying that he would not be paid for his discovery, according to a report by Phys.org.
Shreateh claims to have reported the bug previously via Facebook’s White Hat progamme, but been rebuffed by Facebook staff. Shreateh claims that his previous reports of the bug were met with disbelief by Facebook staff, who replied saying, “I dont see anything when I click link except an error.”
Shreateh says he later got an email from Facebook staff saying, “Facebook disabled your account as a precaution. We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site. We have now re-enabled your Facebook account.”
A member of Facebook’s security team issued a statement via the Y Combinator forums, saying that the bug had been missed because it was reported as a link to another Facebook user’s page, and not in clear language, and that the bounty would not be paid as Shreateh had violated policies relating to how researchers operated. Shreateh had previously demonstrated the bug by posting a link to the personal wall of another Facebook user.
“Unfortunately, all he submitted was a link to the post he’d already made (on a real account whose consent he did not have – violating our ToS and responsible disclosure policy), saying that “the bug allow facebook users to share links to other facebook users”. For background, as a few other commenters have pointed out, we get hundreds of reports every day. Many of our best reports come from people whose English isn’t great – though this can be challenging, it’s something we work with just fine and we have paid out over $1 million to hundreds of reporters.”
“However, the more important issue here is with how the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behavior for a white hat.”
The post says that bug bounties will not be paid out to researchers whose work violates the privacy of Facebook accounts.
The Facebook security team member said, “In order to qualify for a payout you must “make a good faith effort to avoid privacy violations”. The post quoted instructions to researchers: “use a test account instead of a real account when investigating bugs. When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing. Do not interact with other accounts without the consent of their owners.”
Author Rob Waugh, We Live Security