That seems fine. This wasn't a responsible security disclosure, they're not punishing a whistleblower. Publishing an extension to the Chrome Web Store that lets anyone exploit the bug is NOT the responsible way for anyone to "highlight" a security issue unless normal channels have repeatedly failed (which was not the case here), let alone someone who is working for them.
This wasn't a security disclosure at all - Facebook knew that this information was available but didn't see it as a problem. The "problem" was that somebody tried to make the public aware of how it worked.
"Noticing a lack of significant public response to the visible nature of geo-location data on Facebook Messenger, despite media coverage dating back to 2012" - http://jots.pub/a/2015081101/
I disagree. This was not a security vulnerability; this was just a poor product decision made by Facebook (that had major privacy implications). The phrasing of their update a few weeks later supports that it was a conscious product decision since the beginning.
This developer highlighted a privacy issue with Facebook's product with a public proof of concept - it's no different than other proofs of concept built by the EFF et al. Facebook decided to react to it by being idiots, but that's not too surprising anymore from their behalf.
> Publishing an extension to the Chrome Web Store that lets anyone exploit the bug is NOT the responsible way for anyone to "highlight" a security issue unless normal channels have repeatedly failed
I think that's the core behind responsible disclosure. If I was management at facebook - I would be perfectly fine if he published a paper about it after we patched the bug (in fact I would encourage him to do it) - but not create an exploit allowing N number of people to use it then tell me about it.
Edit: changing point of view
If someone told me about an exploit in one of my sites - I might even pay him a small reward.
There is of course those who are completely out of touch with reality and completely ignore legit issues. Never forget the Super Meat Boy incident of 2010 [1]. That has actually made me stop playing their games - because it makes me uneasy to think they were sitting in the kitchen table or office and thinking "it would be a great idea if we connected directly a MySQL server to query custom level data!" - and not at least find someone to bounce that off of to wonder why other people aren't doing that.
In other news, Facebook is actively looking to purchase a global news organization so that they can report on Google's privacy violations - insiders say it's not Fox News. Completing the circle, Google's move to Alphabet allows them greater freedom to create their own news agency. Due to long periods of dog-fooding followed by eternal beta programs, pundits expect Googles service to reach general availability sometime in the fourth millenium.
Facebook should probably also get sued... I have trouble to believe that this was not intentional on their part since there is a setting to share or not to share your location.
I'm sure the kid will be OK. And maybe he can find somewhere better to work than Facebook now. I mean, who wants to spend their life working on helping find better ways to mine people's personal information to help make better ads anyway? Sure FB have some interesting technical challenges and they do release a lot of code as OSS, which is good. But they're not exactly a "cool" company.
14 comments
[ 3.0 ms ] story [ 31.6 ms ] thread"Noticing a lack of significant public response to the visible nature of geo-location data on Facebook Messenger, despite media coverage dating back to 2012" - http://jots.pub/a/2015081101/
This developer highlighted a privacy issue with Facebook's product with a public proof of concept - it's no different than other proofs of concept built by the EFF et al. Facebook decided to react to it by being idiots, but that's not too surprising anymore from their behalf.
I think that's the core behind responsible disclosure. If I was management at facebook - I would be perfectly fine if he published a paper about it after we patched the bug (in fact I would encourage him to do it) - but not create an exploit allowing N number of people to use it then tell me about it.
Edit: changing point of view
If someone told me about an exploit in one of my sites - I might even pay him a small reward.
There is of course those who are completely out of touch with reality and completely ignore legit issues. Never forget the Super Meat Boy incident of 2010 [1]. That has actually made me stop playing their games - because it makes me uneasy to think they were sitting in the kitchen table or office and thinking "it would be a great idea if we connected directly a MySQL server to query custom level data!" - and not at least find someone to bounce that off of to wonder why other people aren't doing that.
[1] http://forums.somethingawful.com/showthread.php?noseen=0&thr...
In other news, Facebook is actively looking to purchase a global news organization so that they can report on Google's privacy violations - insiders say it's not Fox News. Completing the circle, Google's move to Alphabet allows them greater freedom to create their own news agency. Due to long periods of dog-fooding followed by eternal beta programs, pundits expect Googles service to reach general availability sometime in the fourth millenium.
I mean, it's a cool hack, but common sense seems to have gone out the window.