Through the use of bug bounties and private disclosure programs, many companies are able to keep close tabs on the threats researchers find in their products. Occasionally, however, an exploit slips through, causing a public relations mess as the researcher takes a high-profile alternate approach to disclosure. This scenario recently unfolded for Facebook, when independent researcher Khalil Shreateh alerted the social network to a vulnerability by hacking into founder Mark Zuckerberg’s page.
Shreateh’s exploit allows Facebook users to post messages on any other Facebook user’s wall. He initially demonstrated the attack by hacking onto the page of Zuckerberg’s college friend Sarah Goodin. After being dismissed by Facebook’s security team, which informed Shreateh that his exploit was “not a bug,” the Palestine-based researcher offered a proof of concept by making a post on Zuckerberg’s profile.
“Sorry for breaking your privacy and post to your wall,” Shreateh wrote. “I [had] no other choice to make after all the reports I sent to Facebook team.”
Facebook then responded to the vulnerability, asking for details and suspending Shreateh’s account, the researcher explained on his blog. Facebook engineer Matt Jones noted on The Hacker News that the issue has since been fixed. Shreateh’s account was restored, accompanied by a message informing him that he could not be paid for the disclosure, as it violated the Facebook’s Whitehat program terms of service.
Ensuring responsible disclosure
The incident has nonetheless raised questions about what the appropriate response should have been in this scenario, TechCrunch noted. While Shreateh’s approach was a violation of Facebook’s disclosure rules, it also was clearly meant with good intentions. Some people have noted that the terms of service are only available in English, which is not Shreateh’s first language. However, Shreateh’s lack of detail and failure to use a test account made it particularly difficult for Facebook to work with him through normal channels, Jones noted.
“Many of our best reports come from people whose English isn’t great – though this can be challenging, it’s something we work with just fine and we have paid out over $1 million to hundreds of reporters,” he wrote on The Hacker News. He added, “We should have pushed back asking for more details here. However, the more important issue here is with how the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behavior for a white hat.”
Although Shreateh’s disclosure appears to have been carried out with good intentions, its unexpected form has turned the vulnerability into a higher-profile flaw than it might have otherwise been. As such, other organizations may find it to be a useful reminder that, even with a well-defined disclosure process, it is not always possible to control how errors are released. With security safeguards such as the use of static analysis software, organizations can minimize the number of flaws that make it into their final products and reduce the amount attention such security incidents attract.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.