300 comments

[ 3.3 ms ] story [ 585 ms ] thread
Just as your disclosure emails provide almost no information whatsoever, your blog post was also pretty devoid of useful explanation.
> I found an exploit, here's proof, but I'm having difficulty conveying information due to linguistic barriers.

> Nope that's not a bug.

What did you expect him to do? Learn English on the fly? Conveying specific technical things is a difficult skill to learn even for native English speakers.

Sure his communication isn't the best, but neither is "I can't click that link" nor "This isn't a bug."

But it's reasonable to expect him to say something about how it was done. Recording a video is one possible method, and one he's evidently capable of.

Pasting a link to a Facebook profile does not explain the exploit.

Looks like if you edit facebook in firebug while you are posting a link to your newsfeed you can change the source userid which is not validated/checked and gets posted even though you dont have the permission to do it
This isn't true.
Obviously you cannot do so any longer as the bug has been fixed, but that seems like a good description of the exploit as shown in the video.
So they get the exploit and fix it without paying the person who found it. These kinds of actions lead exploit finders to instead pursue rewards through the black market. Very sad indeed.
Note to security response teams everywhere: Not all vulnerability reporters speak perfect English, nor are they all experienced in writing up details on how to exploit issues. It is your responsibility to obtain details from reporters, after the initial report, to avoid situations like this. Facebook should give a bug bounty here, due to their lack of due diligence in following up with the initial responses.
Yeah, what the hell were they doing responding "This is not a bug." without investigating or asking for more details? What the hell is the point of even responding to possible security alerts from the general public if you're not going to investigate?
I am curious to how many trash reports they have to sort through to identify real bug reports. Anyone care to comment?
Microsoft sifts through bogus security reports all the time. Raymond Chen posts the best-of-the-worst periodically.

Here are I couple I found:

http://blogs.msdn.com/b/oldnewthing/archive/2011/12/15/10247... http://blogs.msdn.com/b/oldnewthing/archive/2008/03/14/80801...

Yeah, but look at what he says in the first link:

Before contacting the submitter, we want to be sure that we weren't missing something, but after looking at it from every angle, we still couldn't see what the issue was.

...Stumped, we contacted the submitter. "From what we can tell, the call to system takes place before you call the Load­Keyboard­Layout function. Can you elaborate on how this constitutes a vulnerability in the Load­Keyboard­Layout function?"

(comment deleted)
(comment deleted)
Yeah, I wonder why the guy who said "This is not a bug." isn't actually the one getting in trouble. Clearly I understand why not - but then his actions lead to the person reporting to escalate their actions to get attention. If the "This is not a bug." guy actually helped guide the person reporting to the proper, expected actions, then this would have likely gone completely differently.
Surely that person is in trouble, or will be once the relevant bureaucracy gets back on Monday morning. This is just a huge embarassment, and exactly the opposite of proper security analysis. But no one is going to admit that externally until all the internal work has been done.
It's an assumption that they even care or are looking into it. So far the resulted outcome is they are blaming the guy who didn't follow "their rules" (that wouldn't likely have been clear to him due to a language barrier). This should hit mainstream media though - because if that kind of bug exists, what else exists that Facebook doesn't even know about, that's being taken advantage of?
And to go further, Facebook has an office in Dubai. [0] Are you telling me if language was not a barrier, they could not find a single Arabic-speaking employee? They could even save money on the collect calls, if Facebook was not an option.

And hats off to Khaled. Hebron is not a fun place to grow up, and making it that far, a B.S. that is, is an accomplishment. I grew up with far more privilege and I am still not smart enough to come up with Facebook exploits.

[0] https://www.facebook.com/careers/locations/dubai

Primary reason for Dubai office - 0% taxes
Secondary reason for Dubai office - "Business" Trips
why there is no facebook location on Africa , this is racisme
"business" ? dubai ain't no fun
Yes, right. The security team will ask the management to locate an Arabic speaking employee to handle a cryptic email, and do so for every email! That will surely scale. And employees love handling email exceptionally well.
First someone takes the pain of reporting a security flaw instead of exploiting it to help you out.

Your answer - 'its not a bug its a feature'

What surprises me the most is how bad they are handling the incident! The behavior reflects that of a classic old and inflexible corporation that hides some details in their small prints to screw their customers over.

It reflects incredibly bad on their relationship with the tech community and I am sure we will see some superficial backpedaling very soon.

> The behavior reflects that of a classic old and inflexible corporation that hides some details in their small prints to screw their customers over.

You act as if corporations maliciously "screw their customers over". See the responses below and you'll see that in this specific case FB actually wins out when they pay more to their whitehats.

I hate to single out your specific response, but it's comments like this (and the other 90% on this thread) that remind me how very few people on HN have experience with businesses at scale. classic old and inflexible corporation or let's just call them "enterprises" create policies so they can protect the highest number of cases available, but not all of them. It would be silly to think otherwise.

Yes, but it is exactly these kind of policies that let enterprises, corporations or organizations look bad.

This is like getting PR advise from a lawyer when there is trouble coming your way. Sure, the lawyer will tell you to repeat "no comment" or deny any involvement over and over again. That might be the right strategy in a legal sense and work out fine when nobody is watching.

But you are loosing in the court of public opinion when the public perceives your actions as unfair. And denying some kid a few hundred bucks even so he found a legit hack just because he didn't follow some proper corporate policy guideline does definitely reflect negatively on Facebook.

> Yes, but it is exactly these kind of policies that let enterprises, corporations or organizations look bad.

And what do you propose the alternative? A legalised document that outlines every "if this"-"then that", in every language, continent, dialect, etc.? You know how that story goes...

> And denying some kid a few hundred bucks even so he found a legit hack just because he didn't follow some proper corporate policy guideline does definitely reflect negatively on Facebook.

You know what makes Facebook look even more negative? The future precedence set when good-will hackers think it's OK to use a non-test account and drop the exploit on the CEO's page.

I know it's hard for the HN community to do so, but let's try practicing some empathy with both sides before we pick up the pitchfork.

What is worse, a harmless facebook message on the CEOs wall or this exploit getting in the hands of malicious spammers.
I suppose I didn't articulate that point correctly. Facebook has a policy that basically says "if you find an exploit don't do it to real people, use a test account to reproduce it". So regardless of whether it's the CEO or Jane Doe, it sets a bad precedence that reproducing the exploit in a (real) environment is a very dangerous thing.
Lets hope that OP doesn't have anymore security vulnerabilities in hand because if he do, FB will pay the price of not paying him for the first time :)
Can you provide details on how the exploit works? Even in Arabic as am pretty sure someone will be able to provide a good enough translation for us.
The OPs English is not excellent (but way better than my Arabic)...but I'd be interested in hearing the FB responder's rationale for dismissing the initial submission. Language barrier aside, the link and the image provided should speak for themselves.

But perhaps the bug-hotline gets so much spam that the OP came off as junk email to the FB dev team? Just skimming over his email, I'm struck by how much poor punctuation and capitalization triggers my mental spam alert (and that's before even reading the actual contents).

And they expect people to continue reporting bugs to them? Really?
After watching the video, it looks like the exploit involves:

1) Getting the target user's userId. This used to be part of a user's profile URL but Facebook allowed people to choose a "vanity URL" quite a while ago, so they're no longer as visible. So, instead, the userId is obtained from a FB Graph API query.

2) The form that makes up the "post to newsfeed" has a bunch of hidden inputs. One of them refers to a "xhpc_targetid" and this is probably where the target userId is injected. It's normally set to the current user's id for a default newsfeed post. These values in the DOM are modified during the exploit using something like Chrome Developer Tools on-the-fly and the form is submitted.

If this is truly the case (and I haven't verified it myself) this means that the server side is not really checking permissions and just blindly trusting the client input. Reminded me of this recent (http://arstechnica.com/information-technology/2013/08/how-ea...) article about trusting client input.

If that is how it works, then it appears that Facebook have fixed it - you now see the message "message could not be posted to this wall".
(comment deleted)
This is a pretty vicious error but common one...it sounds like the analogue to Rails' mass-assignment default protections, which were exploited on Github by tampering with the params via inspector.

Coincidentally, that bug was also exposed by a non-native English speaker who was dismissed for his inability to fluently express himself.

http://homakov.blogspot.com/2012/03/how-to.html

no, i was dismissed for some other reason. My emails (i reread them a while ago) explained perfectly where's the bug.

On this topic: i still have no clue what vulnerability it was. Guy, do you know such terms XSS, CSRF etc? Can't u just say where's the bug, nobody wants to watch 6 (!) minutes long video with arabic subtitles rofl. peace

This used to be part of a user's profile URL but Facebook allowed people to choose a "vanity URL" quite a while ago, so they're no longer as visible.

They're still visible in photo albums and the like. Far from hidden.

It's not really obvious though
If you're investigating Facebook exploits it's one of the first things you'd have to learn about.
Correct. Sorry, didn't mean to imply it was hard to obtain this value (the switch to vanity URL part was more of an anecdote) but just to describe what happened in the video of the exploit.
I'd be surprised if this were actually the exploit. If it were, I don't think it would have stayed undiscovered for so long. I'm sure that changing the "xhpc_targetid" was one component of the hack, but some of the other inputs probably had to be manipulated as well.
I find it harsh of Facebook that without technical leverage they do not pay out bounties.
They didn't pay because he messed with other peoples' data. That's a clear no-go.
He couldn't have proved without doing that .
And then they would have paid....
He could have made test accounts with appropriate privacy settings. He could have just told the security team, "Your server does not validate permissions when posting to walls, so if you change this specific HTML form value to anyone else's profile ID, it will post to their wall."
It's pretty freaking obvious there was a language barrier problem here. He knew of the whitehat program, but not the ability within it to create test accounts: he asks the security team to set up a test account so he can post to it to show them the problem.
The guy gave more info on his education than the exploit he was reporting. How is he surprised that they didn't take him seriously?
(comment deleted)
Because they are responsible for not letting critical security exploits through
My guess is he thought starting by explaining that he has a CS education would make them less likely to assume his comment was from an ignorant foreigner.

Unfortunately, that didn't work either.

Unfortunate situation, but I suspect that the overwhelming majority of HN would have dismissed this out of hand (though it is perfect hindsight to now say they should have worked harder, etc). It reads like minimal-effort ramblings.
Wow, upvoting this and I really hope it goes viral and FB gets called out for it. Hopefully he can get the bug bounty he deserves. That's incredibly sleazy of FB to treat him this way.
I'm surprised at how many people just assume the FB sec team doesn't want to pay and therefore tries to not pay if they can get away with it. Their history of paying out is completely the opposite. I've reported several bugs and they're always extremely helpful. They're not an insurance company that wants to reduce cost by screwing over users and there is no historical evidence of that. They want to pay for bugs and get as many of them as possible. What they don't want is for researchers to mess with other users' data. The guy could have just used two accounts to demo (he managed to create a new account after his own account was blocked). Using Zucks account doesn't make it more convincing from a tech perspective. It only makes the guy taken less serious as most researchers care more about how it works than messing with accounts of famous people. Not the smartest move. I understand the sec team draws a line and doesn't pay researchers that mess with other people's data. That's not sleazy, that's sane otherwise it gets exponentially worse as people try to outdo each other in terms of impact instead of focusing on explaining the technique behind a hack.
thanks for explaining (you should have posted this as a top-level comment, imho)
"Using Zucks account doesn't make it more convincing from a tech perspective." - In this case, that's obviously false. The guy submitted the bug twice and the final reply was "This is not a bug." After posting to Zuckerberg's account it was subsequently fixed.

I'm sure the FB security team triages a lot of bug reports, and a few get away - hopefully they'll be better about trying to get more info (boiler plate requesting steps to replicate or a video), but beyond that no harm no foul. I can also see that they don't want to encourage researchers messing with real user data. However, if they paid him out and told him in the future, that he should provide more information and not use real accounts (or not get paid out, etc), that'd have the same effect (you know, since it already happened) w/o the bad will generated.

Instead, they didn't pay him, locked his account, and now we're reading that blog post, not only encouraging him and the people like him in the future to not submit these bugs in the future (certainly serious enough that it'd be worth discovering vs being in a 0-day marketplace), but generating way more visibility for no good reason. It's just not smart.

(comment deleted)
Just saw this on the front page of Google News, on CNet - looks like we've done it! Good for Khalil for getting the exposure he deserves, and I hope FB backtracks on their idiocy.
Of course in hindsight they should have been more diligent, but how many reports do they receive per day? But I see no excuse for not paying the guy for finding a serious flaw in their system, especially dismissing it on 'TOS' grounds.
I don't think you guys understand. You can't publicly use the exploit and then back away and use the white hat system after the fact. It clearly shows him spamming some profile before even making the first contact.
Spamming?

Edit: It was a tame music video. On the spectrum of demonstrating to a test account all the way through to selling his discovered flaw to actual spammers, I rate this at the low end.

It is some link to a youtube video, posted to a public user's facebook wall through the exploit. That's what the screenshot shows.
The point is not to individually judge the harmful effects of using an exploit publicly. That would be absurd. You have no right to say that the video posted on the girl's facebook wall was not a big deal. And I have no right to say that it was a big deal. The only sensible thing is to disallow any public usage of exploits whatsoever.
Hey folks - I work on security at Facebook (though not specifically the Whitehat program) and just wanted to let you know we're looking into this right now.
OK - so I work on a security team at Facebook and sometimes help with reviewing Whitehat reports. To be clear, we fixed this bug on Thursday. The OP is correct that we should have asked for additional repro instructions after his initial report. Unfortunately, all he submitted was a link to the post he'd already made (on a real account whose consent he did not have - violating our ToS and responsible disclosure policy), saying that "the bug allow facebook users to share links to other facebook users". Had he included the video initially, we would have caught this much more quickly.

For background, as a few other commenters have pointed out, we get hundreds of reports every day. Many of our best reports come from people whose English isn't great - though this can be challenging, it's something we work with just fine and we have paid out over $1 million to hundreds of reporters. However, many of the reports we get are nonsense or misguided, and even those (if you enter a password then view-source, you can access the password! When you submit a password, it's sent in the clear over HTTPS!) provide some modicum of reproduction instructions. We should have pushed back asking for more details here.

However, the more important issue here is with how the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behavior for a white hat. We allow researchers to create test accounts here: https://www.facebook.com/whitehat/accounts/ to help facilitate responsible research and testing. In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent.

As you can see at https://www.facebook.com/whitehat, in order to qualify for a payout you must "make a good faith effort to avoid privacy violations" and "use a test account instead of a real account when investigating bugs. When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing. Do not interact with other accounts without the consent of their owners." Unfortunately, the OP did neither of those things. We welcome and will pay out for future reports from him (and anyone else!) if they're found and demonstrated within these guidelines.

dude you are talking like a robot , how do you expect a hacker to behave upon your rules and follow your silly (tos) ... really unbelievable.
Does it concern you that ultimately the way the OP got your attention is by posting to MZ's account? Are you sure you'd have ever "discovered" it if he hadn't? I agree that the OP didn't do a great job, but if he's submitting a vulnerability that you really want to hear about and you're ignoring him because of some miscommunication and you ding him for doing the one thing that gets your attention, you're creating an environment where you're less likely to find out about these things.
I think there's a spectrum between letting whitehats do anything (including violating privacy, hurting real user accounts, etc) vs. suing everyone who changes a GET param somewhere. Having a whitehat program with (IMO reasonable) guidelines around not impacting unsuspecting real users seems to me like a good balance and is fairly close to the first part of the spectrum.

Obviously I don't love the end outcome, and this would have gone better for all parties if he had used a test account and included some kind of repro instructions (like that video) in the initial report.

>this would have gone better for all parties if he had used a test account and included some kind of repro instructions

Clearly, but that's not really something you can control. From your perspective, the other side of the tradeoff with "hurting real user accounts" is "leaving open a huge security hole", not "being mean to whitehats when they screw up". I don't disagree that the guidelines seem quite reasonable prima facie and perfectly fair to to the whitehat in some moral sense, but it's unclear if they're actually working. It boils down to, if you had to choose between finding out about this security hole the way you did or not find out about it at all, which would you choose? How many not-quite-so-aggressive versions of this guy are out there, and how many holes are you leaving on the table? Edited to add: If an important way of finding vulnerabilities is people breaking the rules, then the rules suck, regardless of their intrinsic fairness.

It could well be that keeping not-great-communicator/guideline-follower whitehats from reporting some number of bugs through questionable means is actually worth those flaws sticking around. Of course I don't see the daily flow of vulnerability reports to FB (or all the ones that don't ever get reported), so I don't know. But it sounds like a harder question than you make it out to be.

Again: how exactly do you propose that they write a policy that compensates people for violating the security of their users? Not the security of Facebook, but the integrity of their actual users.

We all know this person had good intentions. But good intentions aren't always enough. Facebook doesn't appear to be freaking out at him. They just can't pay him for having demonstrated a vulnerability by hacking someone's account.

Firstly, no idea how you can conclude he hacked an account. A bit strong of language there? Second, does reason not come into play here? You don't have to write a policy to compensate people for violating privacy - however if you have a human making decisions, and not just a drone following written orders, then the ability to make compromises exist. Just no one at Facebook wants to engage and be human it seems.
In as much as he posted on another account's timeline without permission, he "hacked" it in the "unauthorized access" sense of hacked.

re: reason; where does his reason come into play? It does not seem reasonable to post to M.Z.'s timeline, I'd guess he did that because he was P.O.ed at being dis'ed by the support people.

In the bureaucratic theory I am aware, if you have rules (policies, proceudres, standards etc.) you need to apply them consistently. Sometimes the rule will allow for discretion, sometimes not. I don't see room for discretion here.

I believe you're comprehending his actions wrongly. He stated before he'd be able to post even onto M.Z.'s timeline, to announce that this isn't a narrow scope issue, and that it was to gain attention. I see no malicious or angered. If of course M.Z. all of a sudden sees some guy, who isn't a friend, posting to his wall - you think he might actually look into it, right?

Yeah, rules that don't take into account reason are inhumane. Similarly why we don't just give everyone 10 years in prison because they committed a crime - you take into account all aspects - and not just apply "oh but he committed a crime, so this is the result."

Rules that are not applied consistently are arbitary.

No one said anything about a crime. Denial of the bounty is not brutal.

> Firstly, no idea how you can conclude he hacked an account. A bit strong of language there?

This is like... the textbook definition of a hack.

> however if you have a human making decisions, and not just a drone following written orders, then the ability to make compromises exist. Just no one at Facebook wants to engage and be human it seems.

I love that this statement is downthread of a Facebook engineer's comment that states he considers the guidelines reasonable. It's as if you're just a drone following written orders without the ability to make compromises.

>> Firstly, no idea how you can conclude he hacked an account. A bit strong of language there?

>This is like... the textbook definition of a hack.

Perhaps of "hacking FB", but he didn't "hack an account".

I don't see what the problems are for FB here. They have a moral obligation to reward him for reporting this bug, especially since their ToS are apparently not available in Arabic. Claiming that he showed any sort of malicious/inappropriate behavior is a really bad tactic to save some money when they clearly handled this very badly from the start, while his intentions were obviously good.

All they are achieving by reacting this way (including the apologets) is that next time, such people will just sell their exploits on the blackhat market.

I don't think has anything to do with saving money. It really seems like a case of trying to take human judgment out of the equation. Strict adherence to rules is easy for bean-counters to push but frequently problematic for dealing with real world situations because rules are never perfect.
Facebook really doesn't need to save $10k by not paying this guy. It's about upholding the terms and not setting a precedent.

The blackhat market for Facebook exploits is not huge because the product is centrally controlled and can be patched at any time. It's not like 0-days for products with individual installations that aren't centrally controlled with forced updates - those are clearly valuable.

What incentive does the engineer have to look deeper, and more holistically at the situation? None, especially if he doesn't want to create friction within the company - he can just sit comfortably having followed written protocol. A human with compassion can make compromises, someone following orders can't.
Not sure what you mean by "again".

> They just can't pay him for having demonstrated a vulnerability by hacking someone's account.

I don't see why that is. They already provide the following caveat:

> When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing.[1]

So I don't think there's some kind of legal issue there, if that's what you mean. And you could provide other caveats, like, "you can use a real account if no one is listening to you" (I grant that this may not have helped here either).

I'll reiterate what I said above, which is that the policy is fine, as long as everyone recognizes that it has a strong potential to reduce the security of Facebook. And that ought to raise some sort of alarm, right?

[1] https://www.facebook.com/whitehat

Immediately following that quote: Do not interact with other accounts without the consent of their owners.
He didn't try to reproduce the bug with a test account though. If he had and it hadn't worked, the fact that he then used a real account would've been acceptable.
> how exactly do you propose that they write a policy that compensates people for violating the security of their users? Not the security of Facebook, but the integrity of their actual users.

In the appropriate language: https://news.ycombinator.com/item?id=6231153

Otherwise, you should make some good faith effort to not assume devious intentions on someone making a good faith effort to report problems.

> They just can't pay him for having demonstrated a vulnerability by hacking someone's account.

Technically, according to the security person at Facebook, it wasn't a bug. When he did the same thing again on Mark Z's account, it suddenly became hacking. Yeah, he didn't follow a procedure that wasn't available to him in his native language, but he made a good faith attempt to report the bug, and did so several times.

> But good intentions aren't always enough.

Several attempts to contact them despite being told the actions he was taken was not a bug despite clearly explaining why it was?

"Can't pay him" sounds like bureaucracy BS. I'd argue that it's in their best interest to find a way to pay him. Why make people jump through hoops to report an exploit in your product?

However, it also sounds to me like an opportunity for a bug / exploit reporting proxy business that validates, reproduces, and polishes reports in bulk. You most certainly could extract a much higher bounty per report.

"Can't pay him" doesn't sound like bureaucracy BS, they don't pay him because he violated the TOS, it's on purpose. We could argue this is stupid and the TOS should be changed, but I can understand why they specify that in the process of reporting a bug you use a test account. Violating a real user privacy to report a bug isn't the proper way to report a bug. If they made an exception with this guy then they would have to make more exceptions and possibly set a bad precedent.
I disagree. I don't think that making a case by case assessment is opening the floodgates (that argument is exactly what I would call bureaucracy BS). For an exploit of this severity I would expect them to be grateful to someone who was obviously not being malicious regardless of some silly policy.
How would you feel if he found an exploit that allowed him to make all your private messages public and proceeded to report this by leaking your inbox?

I'm no fan of Facebook, but even I can see why they can't ever encourage such irresponsible behaviour.

As stated, a case by case assessment would most definitely capture this fictional scenario appropriately.
Well, we don't need to assess fictional scenarios, we can take a look at what this hacker has achieved.

1) Lots and lots of negative press. (we wouldn't talk about this if this wasn't true)

2) Embarassing the CEO of a company and thereby also hurting the reputation of his company

3) And on top of that he breached his privacy

And you still think that they treated him too harsh by withholding payment? I mean couldn't he have waited a few more days or reopen the ticket - or maybe just use Facebooks test accounts? It's not like he waited for ages, he brought this bug to attention last friday.

But yeah, waiting a whole weekend was probably too much for him to take, so he obviously had to post on MZs wall.

It would be great if they said "We can't pay him" publicly then just cut him a cheque privately with the understanding that he not tell anyone he got paid. This way, they can go on with the TOS saying you can't affect real users with your hacks, and the dude that blew the whistle gets the reward.
The bug bounty won't cause others to report bugs if they pay in secret.
Is creating test accounts even allowed by the Facebook ToS?
I assume he means whitehat test accounts which are created in the whitehat console, and can only interact with other whitehat accounts
> Obviously I don't love the end outcome,

If only you could do something about it to make the end outcome more ideal.

Slightly off topic, but it would be nice if the test accounts really worked all the time. I've seen a number of cases where entire sections of the site (e.g. http://developers.facebook.com) that error out (return 500's) when using whitehat test account's auth info. This leaves us with little choice but to use real accounts in some cases.
So no one reasonable is allowed to actually make a decision eh? Must be shitty working at Facebook if decisions don't have a human-compassionate influence to them.
But a member of your team was in control of the outcome and messed up. This guy really wanted to make sure that you guys saw the issue in spite of a member of your team screwing up.

You should be rewarding him, not discouraging him.

I know arguing with someone as stubborn as you is useless, but what can I say?

I hope that the fb'er who replied to him saying "this is not a bug" has been retrained to use the words "we are unable to reproduce this issue, please provide further information or perhaps a video demonstrating the bug".
He posted to a real account before posting on Zuckerbergs account. I assume that is what they are dinging him for.
It's plain simple corporativism. The guy escalated the issue to their boss and they are not happy. Since this is probably a failure at multiple levels, they will fight back. It really sucks but it's all very unexpected.
> many of the reports we get are nonsense or misguided

Alright, here's a preemptive question for you then.

Should a logged in user be able to retrieve the email addresses of an arbitrary friend, regardless of their contact privacy setting being set to "only me"?

Hmm, wanna report at facebook.com/whitehat with more details? Please include repro instructions :).
Will do.
Since when did repo stand for "reproduction" in sofware engineering term? Never heard it around here. East coast.
The abbreviation he used was actually "repro", which seems like something that would likely be shortened in an environment where you say it a lot.
Repro, with an r. I've heard it more the last, say, five years than previously. Also East Coast.
Thanks also that was a typo. First time I have ever heard it was in these comments. We don't ever use it where I work and I deal with customer reported bugs every day.
It's possible I first heard in the OSS world and imported it to my jobs, but I'm not sure.
You're setting a great precedent for people to not use your program and instead, leak out bugs for malicious purposes rather than conform to your dodgy call of ToS. Saying "this is not a bug" doesn't even ask for more information, it cuts off his entire report as FALSE even though you have now admitted the bug was indeed not the intended way for Facebook to operate (people should not be able to post on other people's walls).

You seriously need to pay this guy like you promised, especially since he went to all the trouble to report it to you. This is a real low move for a company against this guy who obviously isn't a first-language English speaker.

Even if he violated a very minor and insignificant point in your terms, he only did it after you flat-out rejected his report. If you want to encourage reports, you need to be reasonable. If I was this guy, I would be absolutely furious after putting so much work in, doing it the pussy-way and reporting it to the company rather than leaking/selling it for spammers to use, only to get blindsided and literally make it all for nothing.

Pay the man.

He stumbled around a bit trying to work out how to help, but he brought a flaw to your attention in what he thought was a polite way. If unleashed, this bug could've been used to wreak havoc on Facebook and damage the company's reputation. $500 is the very least FB should be paying.

Exactly, no harm was intended or done. Somebody posting on your wall doesn't even really impinge on your privacy (Hell, for all intents and purposes Facebook do it for profit). Whatever reward, perhaps reasonably reduced, they pay this guy will be cheaper than any bitterness earned from sitting behind a wall of pedantry with big fat righteous grins on their faces.

If they bothered to look at his profile (it's public), they'd see he looks to be a great fan and tinkerer on the Facebook platform.

Is it even lawful for them to pay people that knowingly invade other people's accounts?
He posted something to them - he didn't access them.
I chose my words carefully.
Invading means to enter, and he didn't enter anything. He posted a link through Facebook's buggy system. The end.
Yeah this sounds like a super productive discussion.
Especially when you start using argument tactics like belittling.
You're right; I am officially derisive of this discussion. You know I'm not making an argument by trying to characterize this person's actions as malicious, but you keep raising that idea as an issue, because you actively don't want to understand what's happening in this situation, but would prefer instead to demonize Facebook's security team.
Posting something on someones wall isn't so much invading as it is leaving a sticky note on their door. By that metric UPS invades peoples homes quite regularly when they fail to deliver a package. Had he actually accessed any non-public details of a users account that might be one thing, but the only data he was able to view was the post he had created himself. In short, it was his data, from his account, it just happened to be located on someone else's page. Honestly it's not even that bad of a vulnerability, more like a mild nuisance.
Why wouldn't it be? At worst, wouldn't facebook be the aggrieved party, and not another user of facebook?

Suppose I hacked into a bank and stole money from some account. Would the person whose account was hacked be able to have some legal recourse against me? I'd imagine it would be the bank.

If this is the case, then surely facebook could just choose not to press charges, and if so, what would be unlawful paying him in that case?

The bank example's a tad off when trying to draw a correlation to this particular case. I do agree with your sentiment though. I would reword it and say: if someone pointed out to a stubborn bank manager who refused to listen that the vault and my h of the bank's money was easily accessible, by taking out afew dollars from the bank & handing it to him. The a very embarrassed manager would be right to reward the person for showing the institutions flaw and not robbing them blind.

They might even throw a little fanfare his/her way to send a message that the bank appreciates being told and not robbed blind. (Especially given that they're a "community bank" built by pioneers and not a monolithic marble statue institution :-P)

They will pay for reporting of the bug. What's with the apparently intentionally inaccurate description of his actions? All he did was post to someone's wall, that's hardly "invading someone's account".
after being treated this way, i doubt this man (probably everyone who read this) will ever report bugs to facebook anymore.
i said that many times , agreed
You're doing good work. Don't be discouraged. You clearly have some talent, and you can do positive good with it. Large companies are wedded to their rules, terms, and systems. As you work more on these sort of things, the process will get easier. As you can see, there are many supportive people here.
Agreed, Facebook will not be safe anymore. All these white hackers will sell their exploit to black hackers.
if this bug, does what i think it does, this man if met with certain group of people, had the chance to make millions out of this bug.
"As you can see at https://www.facebook.com/whitehat, in order to qualify for a payout you must "make a good faith effort to avoid privacy violations" and "use a test account instead of a real account when investigating bugs."

I just looked at it, then switched Facebook to Arabic and the TOS is magically still in English (edit - and right aligned really badly as the page evidently expects arabic). If you demand that the TOS is followed by people who do not have English as a first language, try offering a translation.

This guy has done you all a service. The chances are that he may not have been able to clearly read the TOS that you wish him to abide by. He should get paid.

edit - hmm, was about to check the situation with other languages, however now all the buttons are in arabic so I stopped bothering after the fourth random page.

They can't pay people to violate their terms of use or to try to violate the privacy of their users. Even if they wanted to, they're probably not allowed to do that.
They wouldn't paying him to violate the terms ... and it's not like Facebook has any problem with changing a user's privacy settings without permission - except I guess we probably somewhere in the agreements agreed to allow that, or not hold them accountable - probably both..
hahaha funny point
So if a security bug was discovered using methods that are against the TOS then the information about the bug is worthless for them and it's better to sold it elsewhere.
An argument could be made it wasn't so much the discovery of the bug but rather the manner of reporting it that was a ToS violation.
The payment would ofcourse be for discovering the bug.
The whitehat page explicitly says that you must “not interact with other accounts without the consent of their owners” in order to qualify for the bounty. So yes, apparently Facebook can deny payment and suspend your account if they can reasonably suspect that you violated someone's privacy during bug discovery.

However, it seems that if you don't give them any clues in your report, they'll close their eyes and won't investigate carefully that possibility.

Well according to Facebook, "this is not a bug". Which means the feature works as intended. If he is using Facebook as it is intended, then how can he be breaking the TOS?

When an employee whose job it is to evaluate security issues says "this is not a bug", that determination carries the force of law the same way as if it appeared in the TOS. You cannot rely on people to follow some nebulous "spirit of the TOS" when meanwhile your employees have already made a contrary specific determination for how it applies to this particular bug.

Creating a test account is also kind of a violation of the TOS anyway:

"You will not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission.

You will not create more than one personal account."

They specifically allow accounts to be created for whitehat purposes at https://www.facebook.com/whitehat/accounts/
Interestingly, from that page:

"Please use a test account instead of a real account when investigating security vulnerabilities. When you are unable to reproduce a security vulnerability with a test account, it is acceptable to use a real account, except for automated testing."

You must be Mark Zuckerberg
Good point.

Lesson learned: Find a security hole, report it to Facebook, and they don't respond after two attempts? Sell it as a zero day.

Incentives matter. And there is always money to be had somewhere else.

Great point and I hope the FB security team take notice of your post. Whether or not this guy gets paid, I certainly hope they spend the money to get proper translation of their policies in every language they operate in.
https://www.facebook.com/legal/terms?locale=ar_AR

It's translated. I believe it requires you to be in a local to get this page to display automatically. It certainly exists for people creating accounts in arabic, and absolutely includes the relevant lines.

Does that page include the whitehat programme TOS, or is it just the general TOS?
Yes because if you go to Saudi Arabia and murder someone, you can get away with it because their law is written in Arabic and not English, therefore it doesn't apply to you. Newsflash - it doesn't work that way. The terms can be in Swahili and they still apply to you. Hacking somebody's Facebook to demonstrate a "bug" is black hat and not white hat. This was a real hack of a real person and this guy should be imprisoned in his home country, then extradited to the US to face cyber terrorism charges.
Why the hell would a non-US resident be extradited by his home country to the US to face some bogus charges? What's that hillbilly logic? How would US react if foreign countries were asking the US to extradite their own citizens to say, Iran?
Is your whitehat page translated to other languges? If I select a different language, only the login and footers are translated. I don't think you can reasonably assume that non-English speakers can understand the entirely English whitehat page.

Additionally, if you're not logged-in, then the test accounts page doesn't work. It redirects to the same page as facebook.com/whitehat, with no notification that the test accounts page even exists.

You should really pay him.

You seem to be making an awful lot of excuses to not just pay someone who brought to light a critical exploit. Do you work on the security team or are you a lawyer (maybe with a panicking accountant looking over your shoulder) trying to find fine print reasons say, "Aha! We can save money to our bottom line in this instance!" ? Do you know how silly it looks for you to make these excuses?
This is pretty silly. Facebook obviously doesn't care about the dollars here; if anything, I'd imagine they want to be paying more bounties.
Oh man! If only they could fix the situation!
You're willfully ignoring what the situation actually is.
The situation is the guy in good faith tried to give them repro steps and report a critical bug. Technically he fucked up and didn't do it on a white hat account. No harm was intended or done. They are denying him his reward based on a technicality. If that FB employee is not some lawyer trying to cover their asses, then he should want to pay this person and make it happen via some exception. If they truly didn't care about the money and wanted to pay more bounties they would do this. There is no danger of ruining the integrity of the ToS as another replier suggested. In future incidents they are free to not make an exception. In this case, it was all in good faith and the guy didn't know the proper procedure.
They're not "denying him the reward". He demonstrated the vulnerability on someone's actual account. They can't pay people to fuck with other people's accounts. That's not what bug bounties are about. Only on a message board is this hard to understand.
"Paying people to fuck with people's accounts" is a pretty dishonest way to frame this.
No, you just refuse to think about the larger picture. I went out of my way to say that this person wasn't deliberately harming anyone.

You're acting as if there's no precedent implicated in Facebook learning of someone violating both their normal ToS and the terms of their bug bounty program by compromising someone else's account, and then paying them a reward.

You're wrong about that.

I went out of my way to say that this person wasn't deliberately harming anyone.

Saying someone fucked with another person's account implies otherwise.

He didn't f* up Zuck's account. Just making a wall post on some account doesn't f* that account in any way.
It's still a violation of privacy though, and these are viewed as serious by the ToS.
A very specific message board, it seems like. /r/netsec is having no trouble understanding it.

Which leads me to believe most people commenting are not doing so with an actual understanding of the situation, and are instead viewing this solely as Big Bad Facebook vs innocent hacker.

It's understandable it's just not the right mentality towards someone that hacks for profit and bug bounties generally target this ($500 though is hilarious). Effort and time is supposed to be directly related to payout, if it takes more effort and time for less of a payout then the bug reporting is broken.
I remember a comment by you saying that most exploits are not that valuable. How valuable would this one have been?
It looks like preserving the integrity of their ToS to me. If you believe it is because of $500, you are a total idiot and I will not talk to you.
If you think good hackers report security bugs for $500, I am tempted to call you a total idiot too (though I will not).

Consider what motivates people more deeply.

That is a vague reply with no apparent relevance to anything I said except the amount $500 which was not to be taken literally. My point was that facebook isn't doing this to save money and believing so is idiotic.
My point is that people asking for a monetary reward might indirectly be asking for recognition, not the money per se.

Thinking otherwise might be idiotic too, but that's besides the point.

I agree with you that facebook should not pay for the bug since he violated the policy, instead, facebook can consider offering him an interview opportunity and sponsor him a trip to facebook.
How didn't he make a good faith effort? It seems that a language barrier may be part of the issue, no?
So the security person who said "This is not a bug," - what's happening there? If they had guided the guy reporting the bug, asked for more information or directed him to the expected methods for reporting, then this would have likely gone completely differently, right?
By the time he'd reported it, he had already used the exploit to post on a live, non-friend, account. As far as I understand , that's already a violation of the TOS.
It's fairly obvious he didn't understand the whole whitehat accounts he should have been using. English isn't his first language, so should we fault the guy for that - or Facebook who's an international company - with 1+ billion users? Or should Facebook own up to that they should probably update their documents - or give the guy a fucking break because they haven't done that? This is where you need REASON to react REASONABLY, and not just use a blanket statement to "make their life easy" in decisions like this. That's lazy and inhumane.
They're not faulting the guy for not having english as a first language. They're not rewarding him because he broke the TOS.
just pay the guy, it's $4k.

the language barriers are enough to justify any mistakes made in conforming precisely with the t&cs. he didn't abuse the hack. he reported it to you. pay him tbh.

What a cunt reply. The slave masters have trained you well.
If the content of the reply is so easily objectionable, you should probably be arguing on the basis of what it says.
(comment deleted)
You know, I agree with everything you have said.

But couldn't your team be a bit grateful? Though he did post to Zuck's account, he didn't sell the vulnerability as a zero day on the black market, no?

A cheap insurance policy, making the payout, cultivating trust with white hats who are nonetheless decidedly a bit bone headed (if not well meaning).

You apologise and pay the guy. Then you write it up as a public case study in very simple English. At each step point out what he should have done. That means the next people know what to do, and everything comes out positively from this.

At the moment the loud and clear message is that there are far more welcome places than Facebook to report found issues.

So can I report the same bug under the guidelines and get paid for it, or did you rob him and patch it already? Just pay the man, as a programmer a simple bug like this is a huge no no in the engineers part, and not rewarding the user for his conduct is plain selfish of the company.
Why didn't your coworkers reply back asking for more info? This is like the first thing security engineers should do. Look how serious Security Engineers at Microsoft reply back, http://blogs.msdn.com/b/oldnewthing/archive/2011/12/15/10247...

The right thing to do is add Khalil to the white hat list, and pay him what he deserves. He doesn't speak or read English as you have noticed. Your TOS for white hat page is NOT even translatable.

He used real accounts because your team did not care what he had to say. What do you think he should have done? Sell it to the black market?

How come you didn't have unit tests that tested this scenario on the server-side services?
You could have just replied with the name of a test account and told him to post to that one to verify the exploit. In that way you would avoid any permission problems with real accounts.
Clever solution. You should go work at faacebook.
"and we have paid out over $1 million to hundreds of reporters"

So each reporter received approx. $1000? That's all?... Heh, Facebook is very greedy company.

Matt you are a lazy spoiled jerk. No doubt.
From a PR perspective, here are the rules: 1. Apologize 2. Pay the guy 3. Spell out in clear,vanilla English the steps to take to report bugs. Don't be a fucking macho/idiot. No need to dig in your heels when u already shot yourself in the foot by saying right out of the gate that it was not a bug.
Agreed: Shreateh could have used/sold the bug to anyone, however he chose to bring it to the attention of FB. Knowing they didn't have enough information [to claim it as a bug or NOT as a bug] from him they could have requested it instead of ignoring it. Despite the fact he used it to post on Z'bergs wall, in his mind he that wa sthe most articulate way for him to show them what it does. Clearly he had no intentions of hacking his account further else he wouldn't have declared who he was. To be outraged by the fact he was desperately bringing this bug to FB's attention is ridiculous and you should be thankful. Instead showing reasons to not pay him are ungrateful and seem deliberate. Dude brought to you a decent hack, sort him out.
Bug profit flowchart:

You discover a bug on FB just by being a normal user not a "whitehat" security user:

* You discovered it by doing "something" to someone else account --> FB will not pay : SELL on black market.

* You think the bug isn't really a bug but then it happens again --> FB will not pay : SELL on black market.

* You have a life that you don't want to waste with reading through legalese and filling out forms. FB says it is not a bug. Maybe they are right? You don't want to spend the time arguing about it over email --> SELL on black market

* You are not a lawyer, or do not do security testing full-time on FB. Or you are a normal user who has not kept on the FB ToS now that we are on the 100 billionth version --> You probably did something wrong. --> FB will not pay : SELL on black market.

* You are a US citizen and do not want to be charged with CFAA violations as a hacker --> SELL on black market.

Otherwise,

FB might give you some money.

First, who starts a sentence with the word "ok"? Second, "we have paid out over $1 million..." to "hundreds of reporters..." true that would be 1000000/500 = 200.

How hard can it be to have an algorithmic approach to report submission? That is, please make sure your report is reproducible and/or give a link to video or other media for demonstrating the bug.

Also, given the resources of FB, can't they receive bug info in the natural language of the submitter? Why force everyone to use English? Its not like the FB company suffers for a lack of resources.

And yeesh, not paying out $500? Wow that is cheap.

rffinnegan: am simply thrilled to find someone who works for facebook in a dialogue. I am certainly glad that his issue was resolved, but I have been trying for months to find a route of communication other than your many multiple forms to communicate what has happened to my wife's account that was apparently hacked- who or how can I communicate about this?
I realize this is about a post on Mr. Zukerberg's page, but I am simply thrilled to find someone from faebook in a dialogue. I have been struggling for months to find a way to communicate about my wife's difficulties after her account was hacked. Who- not what form- do I communicate with about that, PLEASE?!
The attention this guy is getting is worth dramatically more than the $500, whether he intended this impact or not.
This is just bad PR for FB all around. You guys handled this poorly. It's obvious the OP held no ill intentions when he posted on MZ's wall - if anything he seemed to have been driven to it in order to get your attention to a serious bug which your team specifically claimed not to be a bug. Your ungrateful response is typical of a large corporation only out to save face.
FB should pay him double - or more - no telling how much he's saved the company by revealing the incompetence within the sec team.

Too bad FB doesn't have the graciousness to be thankful that the researcher didn't exploit what its security team deemed as dismissive.

Pay the man. He did you a you favor. Stop with all this jibber jabber regarding TOS. He could have used this security flaw to do damage. Instead he posted his name etc. "Rules are Rules" are for people too dumb to think. Pay up. Man you guys and gals who don't want to pay sound like a bunch of parrots. All you know is how to repeat words. THINK
What is needed is an onion site that offers the same amount of money that facebook does for real facebook exploits. So if Facebook ever does this again, just give them the one shot at it, then go post it to the onion site and get paid.
Clear message here- Whitehats don't bother to submit your finds to FB bc they'll find anyway to try to get out of paying!:)
A very smooth way how copyright thieves do their tricks of the trade. 1st they deny you that your work isn't good or just like here, you say "IT'S NOT A BUG". Then they they get your work, re-edit it and claim that it's their own. On this matter, the whitehat proved that there was a bug, then I'm pretty sure you tried to look further into his report and then figured out to identify the issue. Stole the idea from the whitehat and had it fixed.
Rules are meant to be broken. Pay the man, he saved the company money.
This is crap and you're embarrassing yourself and Facebook.

You all are lucky that people are sharing this stuff with you guys for $500 instead of on the black market for much more. You're also lucky that people are doing the job that highly-paid Facebook engineers should have done. And if I read between the lines of your post, you and your team think that you're pretty clever.

The right thing to do is to cut this guy a check for $500 and keep your mouth shut, before people stop reporting security bugs to you.

I know I'm already discouraged--if I find anything, the last thing I want to deal with is a mediocre engineer telling me I didn't fill out the TPS form the right way.

I completely agree!
Whatever! Facebook should pay him for figuring out the BUG in the system.
shame on both sides. especially on you mkjones! you failed your responsibility and still blabla!
In all fairness, he was also braking the rules of eligibility regarding his country. It states one must love in a country not currently under any US sanctions. I'm pretty sure there is no such country as Palestine in Zuckerbergs map, let alone in the official US world atlas.
you are mistaken as to what is the more important issue here. a friendly demonstration for your consideration because you ignored the lack before or the potential invasion of privacy for the millions of users of facebook? stop being so full of yourselves.
What you've just done is create a disincentive for "researchers" to report vulnerabilities to you. The next time Kahlil or someone else finds a vulnerability (and there will be a next time), he/she/they will simply use it and/or sell it. Kahlil did the right thing, at the end of the day, and only broke Facebook protocol in order to get your attention because you ignored his first (legal) notification of said bug. If you don't pay him, you'll have a hard time with credibility in future cases.

In addition to all of that, it's the right thing to do.

You stay classy Facebook.

the real reason why he wont be rewarded, is because the guy who found the bug, is an arab from palestine, who was being ignored on purpose. facebook is jewish. simple.
Pay the guy! He could have sold it and made lots of money. He was trying to do the right thing. Too bad he had to go to such extremes to get someone's attention.
your milking this aren't you. I know the truth.
WOW. Facebook is proving their scuminess once more. It's $500. Pay the guy you cheap asshat b-tards.
Facebook is wrong on this issue. OP made a good faith effort to report the problem. When this failed, he demonstrated the bug in a non-destructive way. He did not post maliciously, nor did he use the bug to obtain confidential information. When the channel set up by Facebook failed, he took the problem to the CEO. I will post this issue to various social media outlets until the OP is fairly compensated. Facebook's actions here are deplorable and discourage users' efforts to report bugs.
And the lesson we learned here kiddos is?

:Facebook can change, juggle, and ignore your privacy whenever they want to do whatever it is they want to do, but you can't even if it is to help them. So when he found a bug that would be a spammers dream then sell it to the spammers cause they would pay millions where Facebook will dick you out of 500$:

Highly unfair that you aren't paying him, TOS or not. Additionally, one could argue that your TOS is bad to begin with. It could be re-written to properly account for this situation. This guy did not have malicious intent - that is the bottom line and all that matters here.
You're a fucking idiot. He found a serious error in your system and made a good faith effort to inform you of it despite his language barrier. Instead of showing any sort of gratitude for his discovery and integrity, you chose to dig in your heels and discourage the man and others like him from bringing this to your attention. As a result, you've brought even more damage to the reputation and integrity of Facebook. Way to be an asshole.
If you admit that "you should have pushed back asking for more details" than you should also admit that because of that, you are partly liable for the fact that he did go beyond the explicit rules. Now, are those rules also in Arabic? Also, how are you to encourage users to work with you in a quick, efficient manner, if these kinds of things are bogged down with red tape? It's only $500. Perhaps, you should change your rules to make the system for bug reporting easier, efficient, and a bit more egalitarian. Best, LJ
Just give the guy a job. He did you a service and if he didn't do it, and others found this hack, they'd hack millions of accounts with personal information and YOU would be held responsible and taken to court! Either pay the man, or give him a job on your security team since he seems to do a better job than half of the team already there.
This is just GARBAGE!!!

He tried to bring this issue to facebook's attention and you guys turned a blind eye to him. He had no choice but to prove to you guys that it was real. So he did what he did.

Yes you guys have a test account and ask people to use it, well atleast pay this guy a portion of what you would have paid him if he would have proved the bug using a test account.

What is going to happen next? The next time a person finds a bug he is going to sale it to the highest bigger and some fool will end up posting on my facebook page embarressing me and my family.

Ever tried contacting Facebook Representatives over the phone and asking them for help with security issues?? I have... It is impossible.... After I would send you guys a ton of emails, no response.

What will likely happen is that Facebook will be taken to court because of the embarressments caused by some hackers and facebook taking too long to correct the issue.

What is just so F'd up is that Facebook could protect their users accounts by paying people a few hundred bucks.

This is just one of my main reasons i am barely on FB anymore. All you guys care about is just the money you all get on advertisments.

That's ridiculous, he didn't use the accounts of real people. Real people wouldn't have elicited the FB security team response within minutes. Real people don't have a "follow" button on their wall. He used the one account that got your attention and was not malicious and he deserves to be paid. You know damn well your terms are meant against maliciousness and spammers. Your stance is petty.
Someone may have commented on this: Shreateh could have used/sold the bug to anyone, however he chose to bring it to the attention of FB. Knowing they didn't have enough information [to claim it as a bug or NOT as a bug] from him they could have requested it instead of ignoring it. Despite the fact he used it to post on Z'bergs wall, in his mind he that wa sthe most articulate way for him to show them what it does. Clearly he had no intentions of hacking his account further else he wouldn't have declared who he was. To be outraged by the fact he was desperately bringing this bug to FB's attention is ridiculous and you should be thankful. Instead showing reasons to not pay him are ungrateful and seem deliberate. Dude brought to you a decent hack, sort him out.
I worked in FB before so I understand that it's kind impossible to track all the bugs/reports received without clear information provided. However, you can easily tell this guy is humble and not really trying to show off, it's the one who simple wrote "this is not a bug", instead of asking for more information, putting him to actually hack Mark's page.

For a better PR, pay him and use this case as an example to teach the future whitehats. FB has low esteem for a reason.

With all respect, obviously you was able to reproduce the bug and fix it. Maybe you forget, that language barrier to Palestine can be an issue too, so because you make not clear what you asking for, when he send you back a link. Obviously it is more work to post on Mark Zuckerbergs Page than respond in the way you want.

Plus i am very sure, the mistake was on Facebook ends in the first place. I experienced it myself: Since 6 month now i try that Facebook take action, because the break of privacy issues and violation of Facebook terms by a Facebook user - i even not give an response on any channel in tried.

If you really do not give him his reward for the Report and keep you informed, than this is extremely unfair from facebook end. IN this case i strongly recommend WhiteHat Hackers in future cases: Do not count on Facebook Team, publish bugs and security issues on Blogs. Obviously the Facebook team give priority not based if a problem is urgent, only how "public" it is.

Frank

Frank, this is a wonderful rendition of horrible grammar.
Although, Mr. Shreateh did not follow the Facebook TOC to the letter, as written by Facebook's legal team, he did operate in good faith, according to the Yahoo article, quoted below. Whether or not Facebook legally owes Mr. Shreateh $500 + change or not, the potential PR costs and being "cheap" image is one I would hope does not attach itself to Facebook - leave that to Walmart.

"So when a security researcher named Khalil Shreateh from Palestine found a bug that let him post stuff to other people's Walls, he reported it to Facebook.

That bug is a spammer's dream. To prove his bug was real, Shreateh posted something to Sarah Goodin's wall, a friend of Facebook CEO Mark Zuckerberg.

He then contacted Facebook's security team with the proof that his bug was real, he explained in a lengthy blog post. Facebook has a bounty program where it pays people to report bugs instead of using them or selling them on the black market. In this case, instead of fixing the bug and paying the researcher the $500+ fee, Facebook told him "this was not a bug," according to an email that Shreateh shared.

Shreateh says he tried a second time to warn Facebook and when that didn't work, he used the bug to post a message to Mark Zuckerberg's Wall."

Lol. Khalil next time post a bug of facebook in the black market and then they will pay better.
Facebook - value themselves at $100bn, value their customers and developers as dirt. Very unclassy.
You guys should hire the guy since he showed the world what a big flaw that was, instead of selling it he kept on trying to tell to the company. He should be seen as a hero by Facebook!

Shows how many issues there should be that are not taken into account.

BTW: English not being the primary language for these folks has not to do with anything, shows how much stereotype there's in being American or not. It's a global world, wake up!

BR,

Exploiting bugs to impact real users is not acceptable behavior for a white hat

It's pretty arrogant of Facebook to redefine the meaning of white hat don't you think? Posting to the Facebook founders page to let them know of a security vulnerability is not malicious, plain and simply, not. Trying to steer the embarrassment of your failings because this guy didn't read your TOS is incredibly hypocritical.

Using a bug to post to said founder's page against his will is definitely not white hat behaviour. Period.
And you base that on what? Sending someone a message to give them a heads up on their security, no matter the medium used, is not malicious behavior, if you feel it is .. well, the world must be a very scary place for you.
I think we all know the signal-to-noise-ratio on the internet is a bit whack. So it seems entirely plausible that this was all due to an improperly formed submission.

That being said I think Facebook could have given the reward and a slap on the wrist at the same time considering the language barrier.

Considering the language barrier, a slap on the wrist is less appropriate. Facebook could have used this opportunity to publicize explaining to Khalil that his bug finding techniques are not in accordance with the guidelines and garner good will by paying him the $500 as an exception to the rule. The media would be frantically covering how facebook in spite of its guidlines decided to thank the person who reported the bug and overlook an apparently innocent mistake. A missed opportunity on facebook's end.
Why doesn't Facebook just create a live account that is set-up to see if it can be hacked? Or does that exist and I completely missed the point?
In all honesty I think you guys are being extremely harsh with a man that has pointed a huge problem on your website. He has done Facebook a huge favour and instead of paying him, you have the nerve to refer to a TOS not written in his first language as an excuse. This will lead to bad publicity for a multi million dollar company like yourselves. The man looks really poor and if he wanted to he could have made a lot of money selling that exploit to spammers. However he decided to do the ethically right thing, only to be stabbed in the back by Facebook. I cannot believe that a company of your size and magnitude would stoop so low, its pathetic!!!! Just on that basis I will boycott Facebook as your organisation seems to have lost all of its good morals!!!!!
By him demonstrating something which Facebook clearly stated "...is not a bug" at the time, Facebook can't claim he violated the ToS. If it was not a bug, he was taking advantage of a feature which Facebook gave him the liberation to by stating so. The moment Facebook claims it is a bug, that contradicts what Facebook told him in the email, and thus it is Facebook's fault, not his. Facebook REALLY should not have said "this is not a bug." Facebook then had few options: to leave this as a feature (which is ludicrous), or treat it as a bug and redact what was stated in the email, which means Facebook should pay the damn man. You can't lie in an email and then pull a 180 when it's convenient for you.
Non-rhetorical question: is your team concerned that not paying out a bounty for this report may be exploited by anti-semitic groups?

I can already picture people saying "of course, Mark Zuckerberg would refuse to acknowledge the work of a Palestinian." (regardless of the fact that Mark Zuckerberg describes himself as an atheist)

How about looking into paying this man for his honest bug finding work? The response from FB on this is disgusting.

    "We are unfortunately not able to pay you for this     vulnerability because your actions violated our Terms of Service.  We do hope, however, that you continue to work with us to find vulnerabilities in the site. 

  We have now re-enabled your Facebook account. 

  Joshua 
  Security Engineer 
  Facebook "
Pay the man!

As many others have said: The TOS was only available in English and that's not his first language. He did the only thing he could to get your attention and fix the problem.

My view: If they fixed the "bug"/security hole, credit should be given.

The TOS stuff i think i a bit shity. Partly cause they made him do it(more than necessary)

Ugh, they handled his disclosure like such typical dismissive nerds. Disgraceful.
This obviously is cause of language barrier. It seems bug reporter didn't have any evil intentions but was just trying to get attention of facebook so this can be fixed. so I think he should paid. maybe you can ask for an apology for tampering user data as he was wrong on that part but still he did discover a valid flaw in facebook's iron clad security.
Holy crap!! I cannot believe Facebook would be such scumbag dodgy fckers to not pay the guy. He reported it as he should have and then they call some bullsht about terms of service.

Note to anyone else who discovers a vulnerability: leak it and blackhat the hell out of it. Exploit users maliciously to the full extent of your power.

Have to agree with everyone here. The first email gives enough information to base a case on. Enough to simply do a quick search and verify these people aren't friends. I get less information than this from users for a product we support, it's frustrating, but if you don't investigate each lead as a potential you run the risk of having it snowball.

Shame on Facebook for dismissing this guy's reward due to the lazy actions of one employee. It would have taken one question, or one 5 minute validation of the claims to make this a non issue.

How does the first email contain enough information to base a case on? All he says is that he can post links to other people's walls. He makes absolutely no mention of not being the target's friend.
Hmm well the implication made sense to me. It would have taken a few seconds to see that these people weren't friends. And all the engineer had to do was ask at least one question to probe for more information instead of a dismissal.

Edit: I'm sure Facebook engineers have something a bit more advanced that this:

https://www.facebook.com/zuck?and=khalil.shr

This link works if they know each other. Try going to your profile and adding ?and=zuck for instance

Why would he be reporting it to whitehat if it was expected behavior?
Did someone post this to Reddit yet? This guy should get the bounty.
Yes, and they have a wildly different opinion than HN:

http://www.reddit.com/r/netsec/comments/1kkvei/user_reports_...

Well, since you seem to have a top comment there - you don't see an error in the way the initial security responses were? Why didn't they guide him into providing the information they needed, to ask him specifically? Or point him out to the whitehat program, etc? They have no responsibility there - is that what you're implying?
So what does this guy gets for reporting one of the most relevant bugs that could have exploited the privacy of a billion people? PEANUTS!

When the top guys behave like this about rules, it clearly shows a lack of conscience. Rules are made to keep 99.9% of mess at bay.

This guy invaded the privacy of say 1-2 people that too to when the relevant authorities didn't respond in the correct manner, and saved the invasion of privacy of millions at least.

And what privacy? only a relevant post (not a spam) on profile of the company's biggest authority.

Yeah someone probably died of laughter from that post/ breach of privacy... So DUMB!

What a terrible way to report a vulnerability. In no emails did Khalil clearly demonstrate how to reproduce it despite giving "repro steps" which weren't reproduction steps at all. I understand there is a language barrier but that's just pathetic.
I submitted a bug to Facebook's whitehat disclosure 3 or 4 months ago. Got no response whatsoever, except an automated response. The bug still exists. The bug allows users to post as though they are other users on the timeline. I think that is pretty serious, but I guess they do not.