After a frustrated Palestinian hacker broke into Mark Zuckerberg’s Timeline to report a bug, Facebook acknowledged today that they shouldn’t have ignored him. But, despite Facebook’s mea culpa, the hacker may still walk away empty handed.
“I understand his frustration. He tried to report the bug responsibly, and we failed in our communication with him,” wrote Joe Sullivan, Facebook’s Chief Security Officer, in a post addressing the incident.
Early last week, Khalil Shreateh discovered a vulnerability that allowed him to post on the Timeline of people who weren’t his friends on Facebook.
He reported the bug trough Facebook’s whitehat disclosure program, which promises awards to bug hunters. His report was repeatedly ignored, and he resorted to getting Facebook’s attention by testing the bug on Zuckerberg’s personal Timeline.
And therein lies the problem, and the reason why Facebook refused to reward the hacker.
Sullivan explained in his post that researchers or hackers who find bugs should never report them by using them against real users. That’s precisely why Facebook gives hackers a way to create dummy accounts to test vulnerabilities, he added.
“We will not change our practice of refusing to pay rewards to researchers who have testedvulnerabilities against real users,” he wrote. ” It is never acceptable to compromise the security or privacy of other people. In this case, the researcher could have sent a more detailed report (like the video he later published), and he could have used one of our test accounts to confirm the bug.”
Sullivan also explained that Facebook receives “hundreds of submissions a day,” and just a small portion of those turn out to be legit.
“As a result we were too hasty and dismissive in this case. We should have explained to this researcher that his initial messages to us did not give us enough detail to allow us to replicate the problem,” he wrote.
Following this incident, Sullivan announced two changes in the way Facebook deals with bug reports. First, “we will improve our email messaging to make sure we clearly articulate what we need to validate a bug,” he wrote. And second, “we will update our whitehat page with more information on the best ways to submit a bug report.”
Even if Shreateh won’t get a dime from Facebook, he still might get a reward.
Marc Maiffret, the Chief Technology Officer of security firm BeyondTrust, launched a campaign to reward him on GoFundMe yesterday. And it has already gathered more than $8,000, slightly short of its $10,000 goal.
“It was a good thing that he did,” Maiffret told Wired. “He might have done it slightly wrong, but ultimately it was a bug he got killed off before anyone did a bad thing [with it].”