36 comments

[ 2.9 ms ] story [ 93.5 ms ] thread
Hopefully BeyondTrust will use the opportunity to also train him in responsible disclosure.

Regardless of the response you get from a vendor, you don't make use of an exploit against a vulnerable target. That is the line that separates the good guys from the bad. Period.

Facebook has invested heavily in sandbox environments and automated generation of test accounts with test data explicitly for researchers to help demonstrate vulnerabilities. It is even mentioned many times on the page where you go to find the address to report issues to and learn about the bounty program.

Lets not forget Mark himself was charged with breaching security, violating copyrights, and violating individual privacy by Harvard's disciplinary board for students - he turned out ok.
In order of desirability, the methods of dealing with a discovered exploit are:

1. Report to vendor and do not publicly discuss until they've fixed it

2. Demonstrate the exploit in public to prove that it works

3. Sell on the black market to Mafia/NSA/etc

The guy attempted approach (1), and didn't do a very good job of it, but it seems this was at least in part due to inexperience. Should he have worked more carefully to pursue option (1) first? Sure. But Facebook should have asked him for more information, perhaps pointing him to the guidelines.

So next he went to option (2). Facebook found the bug, and fixed it. Option (2) is infinitely better than option (3). I think Facebook should be extremely grateful to this guy - he even apologised for having to take this option in his post on MZ's wall, after (1) failed. Regardless of his & facebook's mistakes, they still should be thankful for him reporting it.

Option 2 is not "Post on real user's account", option 2 is "create account, use" or "use on established test account".

He was wrong, period, to post to a user's page. 100% wrong, and has no right to ask for the money, because of that. Facebook's response is exactly the correct response - fix the miscommunication, but remain firm in the denial of money to someone who broke clear rules.

You're being a bit silly about this. The actual harm was nil.
it might be technically correct, but people don't behave like machines, so the expected outcome in the future is not clear.
> "create account, use"

You mean create a fake account? Isn't that against TOS?

> "use on established test account"

Where the instructions are in English, even after changing language?

> He was wrong, period, to post to a user's page

Mark Z. is not just any user. FB is publicly traded, yes, but he is basically Facebook. It's not like he 'hacked into' someone's account.

The initial proof of concept post went to another user, not Mark Z. That was Facebook's basis for denying the claim.
The initial proof of concept post went to another user, not Mark Z. That was Facebook's basis for denying the claim.
There's a difference between "This is not a bug" and "We don't have enough information to proceed with your report. Can you please follow the guidelines here for a more detailed one? Thanks for your help."

If you want responsible disclosure, the guy just did the first step, reporting to your security team privately. Guide him, learn the thing, reward and move on.

I'm torn on this one. A while back I reported an exploit I'd found to a vendor to also get a back a "not a bug" response. Next version in their software had it fixed. They didn't have a bug bounty and I didn't have much interest in it past that I'd rather if fixed that not.

If there had been a small bounty on the line and it would have played out the same way, I'm not sure how I would have handled it. I'm all for responsible disclosure and wouldn't have any interest in posting it online or exploiting it. But what is the correct response if money is owed and you've already shared the exploit with the vendor?

In all fairness he did attempt to report it. Although very poorly. He an email saying in essence 'I found a bug' instead of 'If you change the id on the submit function of the post button you can submit to other walls.' If we would have sent the latter I think they would have paid more attention to him.
And he lives in Hebron in Palestine. How will they give him the money?

Answer: not easily. The financial blocks between that area and the rest of the world are just as real as the geopolitical ones. It will be impressive if they do it, short of a guy meeting him at a checkpoint and throwing an envelope to him.

Bitcoin's here, to save the day!
How will that solve the problem? Great, he'll have a wallet full of bitcoins. How many vendors in Palestine accept them as payment for goods & services?
He can still get online stuff with it. Online subscriptions. Video games. Pornography. Etc.
Indeed, also Palestine is full of money transfer places too not like there isn't a moneygram or WU branch everywhere. Russians cash out Bitcoins to banks there as well through Anelik, Contact sys ect
He could have been gifted online stuff anyway. Get an account, send him the password.

Bitcoins for these services add nothing other than some extra % costs when using them, and still don't solve the problem of getting physical goods where he is.

Don't you think it would be a bit weird to give the guy a subscription to Anal Magazine? Give him money, even if he can't get it physically, he can still use it online.
(comment deleted)
Going to research it a bit to make sure he will get the funds and then I am also donating http://www.gofundme.com/3znhjs

I am concerned "gofundme" will not be able to pay out to Palestine , I don't think paypal will work there and I don't even think USPS will deliver there? I know Israel will not allow Palestine to mail out internationally.

   update: they will NOT likely be able to pay out
https://gofundme.zendesk.com/entries/22590777-Is-my-country-...

https://www.paypal-community.com/t5/Getting-started/Palestin...

Palestine is not listed -> https://www.paypal.com/worldwide/

----

Guy lives in a place with 22% unemployment and has not been able to work in two years.

Watch this interview if you have not already http://www.cnn.com/2013/08/19/tech/social-media/zuckerberg-f...

Where there's a will, there's a way. They'll be able to get him the money - it just might not be through Paypal.
Yes, I realize (and encourage) that individuals will help him.

But I don't think gofundme will be able to pay out and therefore everyone's donations will have to be refunded.

I don't understand how someone could discover a security exploit in the first place without breaching the Facebook ToS. Doesn't that give them a getout for anything that's reported to them?
facebook have a well-established program to allow anyone to look for security-related bugs. There are indeed terms and conditions associated with it however, including not interfering with real data/people.
Terms and conditions which are only available in English.
They're available in Arabic and many other languages as well: https://www.facebook.com/legal/terms?locale=ar_AR
Those are not the whitehat terms at all.

But that doesn't matter since the argument was ridiculous in the first place. If you cannot understand or read rules, that doesn't meant they don't apply to you. Also, he understands English very well.

Language barrier or not as far as i know code is still written the same way. The least the Facebook guys could have done is ask for details not just reply this is not a bug.

And once you fix a bug reported by someone you don't get to deny their bounty. The best you can do is complain about the methods used to demonstrate it. You're not in a position to fk with hackers we are ultimately the ones helping you.

We have something that is ultimately more valuable on the black market that Facebook are paying us so they should be handing out bonuses not stealing what we earned.

nice. he made the world a safer place.

else {

   //Meanwhile somewhere in the black market

    $parent->postFacebook("I'll be early from work today and have lost my key. Leave the key in the flowers.");

    $child->postFacebook("Ok, no problemos.");
}
He hadn't managed to actually impersonate another user, just post on someone's wall who hadn't friended him.

Personally, I wouldn't leave my keys in the flowers because a random person I didn't know posted it on my wall.

What if: the random person has a matching name and a photo? :D
You wouldn't, but some kid might.