Palestinian information system expert Khalil Shreateh discovered a bug that allowed Facebook users to post on the Timelines of other Facebook users, even when they were not connected as friends, but when he submitted it to the social network’s white hat program, Facebook Security responded that it was not a bug. So Shreateh went straight to the top, exploiting the bug to post on the Timeline of none other than Facebook Co-Founder and CEO Mark Zuckerberg.
Shreateh chronicled the entire experience in a blog post, which included the screenshots and video in this post.
After discovering the bug, Shreateh posted a link to a video on the wall of Facebook user Sarah Goodin, who, like Zuckerberg, attended Harvard University, and he submitted a bug report to the social network, saying that he was able to view the post on Goodin’s wall, even though he and Goodin were not friends on Facebook, because he was the source of the post. Facebook Security emailed this response to Shreateh:
I don’t see anything when I click link except an error.
After resubmitting it, he received a second email from Facebook Security:
I am sorry. This is not a bug.
Meanwhile, his Facebook account was disabled, but Facebook Security reactivated the account, sending him the following email:
Facebook disabled your account as a precaution. When we discovered your activity, we did not fully know what was happening. Unfortunately, your report to our white hat system did not have enough technical information for us to take action on it. We cannot respond to reports that do not contain enough detail to allow us to reproduce an issue. When you submit reports in the future, we ask you to please include enough detail to repeat your actions.
We are unfortunately not able to pay you for this vulnerability because your actions violated our terms of service. We do hope, however, that you continue to work with us to find vulnerabilities in the site.
We have now re-enabled your Facebook account.
Frustrated with the actions by Facebook Security, Shreateh than exploited the bug he discovered to post this on Zuckerberg’s Timeline (unedited):
Dear Mark Zuckerberg,
First sorry for breaking your privacy and post to your wall , i has no other choice to make after all the reports i sent to Facebook team.
My name is KHALIL, from Palestine.
couple days ago i discovered a serious Facebook exploit that allows Facebook users to post to other Facebook users timeline when they are not in friend list .
i report that exploit twice , first time i got a replay that my link has an error while opening , other replay i got was “ sorry this is not a bug “ . both reports i sent from www.facebook.com/whitehat , and as you see iam not in your friend list and yet i can post to your timeline .
this is the last email i sent including the Facebook team replay .
i appreciate your time reading this and getting some one from your company team to contact me .
OK — so I work on a security team at Facebook and sometimes help with reviewing white hat reports. To be clear, we fixed this bug on Thursday. The OP is correct that we should have asked for additional repro instructions after his initial report. Unfortunately, all he submitted was a link to the post he’d already made (on a real account whose consent he did not have — violating our ToS and responsible disclosure policy), saying that, “The bug allows Facebook users to share links to other Facebook users.” Had he included the video initially, we would have caught this much more quickly.
For background, as a few other commenters have pointed out, we get hundreds of reports every day. Many of our best reports come from people whose English isn’t great — although this can be challenging, it’s something we work with just fine, and we have paid out over $1 million to hundreds of reporters. However, many of the reports we get are nonsense or misguided, and even those (if you enter a password then view-source, you can access the password! When you submit a password, it’s sent in the clear over HTTPS!) provide some modicum of reproduction instructions. We should have pushed back asking for more details here.
However, the more important issue here is with how the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behavior for a white hat. We allow researchers to create test accounts here: https://www.facebook.com/whitehat/accounts/ to help facilitate responsible research and testing. In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent.
As you can see at https://www.facebook.com/whitehat, in order to qualify for a payout, you must “make a good-faith effort to avoid privacy violations” and “use a test account instead of a real account when investigating bugs. When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing. Do not interact with other accounts without the consent of their owners.” Unfortunately, the OP did neither of those things. We welcome and will pay out for future reports from him (and anyone else!) if they’re found and demonstrated within these guidelines.
Readers: Does Shreateh deserve a bounty from Facebook Security for his efforts to report the bug?