Facebook vulnerability 2013

Note to security response teams everywhere: Not all vulnerability reporters speak perfect English, nor are they all experienced in writing up details on how to exploit issues. It is your responsibility to obtain details from reporters, after the initial report, to avoid situations like this. Facebook should give a bug bounty here, due to their lack of due diligence in following up with the initial responses.

After watching the video, it looks like the exploit involves:<p>1) Getting the target user&#x27;s userId. This used to be part of a user&#x27;s profile URL but Facebook allowed people to choose a &quot;vanity URL&quot; quite a while ago, so they&#x27;re no longer as visible. So, instead, the userId is obtained from a FB Graph API query.<p>2) The form that makes up the &quot;post to newsfeed&quot; has a bunch of hidden inputs. One of them refers to a &quot;xhpc_targetid&quot; and this is probably where the target userId is injected. It&#x27;s normally set to the current user&#x27;s id for a default newsfeed post. These values in the DOM are modified during the exploit using something like Chrome Developer Tools on-the-fly and the form is submitted.<p>If this is truly the case (and I haven&#x27;t verified it myself) this means that the server side is not really checking permissions and just blindly trusting the client input. Reminded me of this recent (<a href="http://arstechnica.com/information-technology/2013/08/how-easy-is-it-to-hack-javascript-in-a-browser/" rel="nofollow">http:&#x2F;&#x2F;arstechnica.com&#x2F;information-technology&#x2F;2013&#x2F;08&#x2F;how-ea...</a>) article about trusting client input.

The Social Network -<p>Ad Board Chairwoman: Mr. Zuckerberg, this is an Administrative Board hearing. You&#x27;re being accused of intentionally breaching security, violating copyrights, violating individual privacy by creating the website, www.facemash.com. You&#x27;re also charged with being in violation of the University&#x27;s policy on distribution of digitized images. Before we begin with our questioning you&#x27;re allowed to make a statement. Would you like to do so?<p>Mark Zuckerberg: I&#x27;ve... [Mark stands up to make his statement]<p>Mark Zuckerberg: You know I&#x27;ve already apologized in the Crimson to the ABHW, to Fuerza Latina and to any women at Harvard who may have been insulted as I take it that they were. As for any charges stemming from the breach of security, I believe I deserve some recognition from this Board.<p>Ad Board Chairwoman: I&#x27;m sorry?<p>Mark Zuckerberg: Yes.<p>Ad Board Chairwoman: I don&#x27;t understand.<p>Mark Zuckerberg: Which part?<p>Ad Board Chairwoman: You deserve recognition?<p>Mark Zuckerberg: I believe I pointed out some pretty gaping holes in your system.<p>----<p>The similarity is uncanny.

Jim Denaro, @CipherLaw on Twitter, a lawyer specializing in these issues and someone who has studied bug bounty programs, twerped earlier at me:<p><i>Paying out a bounty in that situation would be legally risky. Would advise against it.</i><p>Facebook&#x27;s ToS forbid you to compromise other users accounts in any way. Its bug bounty terms require the consent of any accountholder used to search for bugs. It&#x27;s also bound by California laws regarding breach notifications. And over the long term, it must retain the ability to enforce its own ToS. These are just the objections I can think of.<p>If you&#x27;re going to participate in a bug bounty program --- and you should --- don&#x27;t use non-consenting accounts to do it. This is a simple issue that&#x27;s been blown out of proportion by message board pathology.

Hey folks - I work on security at Facebook (though not specifically the Whitehat program) and just wanted to let you know we&#x27;re looking into this right now.

I&#x27;m not sure how Facebook was supposed to know this was a vulnerability. If you look at the actual conversation it looks like Khalil is reporting the ability to post on other people&#x27;s walls as a vulnerability.<p>In the first email, Khalil simply says that he can post to Sarah Goodin&#x27;s facebook wall. He makes no mention of the fact that he and Sarah Goodin aren&#x27;t friends.<p>The Facbook engineer replies that he is unable to see anything from the link that Khalil sent. This is because the engineer and Sarah are not friends.<p>Khalil responds with a screen shot of the post. Again, Khalil makes absolutely no mention that he and Sarah are not friends at all. In fact, at this point it would appear that Khalil is friends with Sarah, as he states that only her friends can see her wall. I guess he is able to see the post he made though.<p>At this point, Khalil decides that the only course of action is to go post on MZ&#x27;s wall. How is that sort of escalation appropriate? By paying Khalil at this point, all you are doing is telling people that MZ&#x27;s account is a an acceptable place to report vulnerabilities, which is a horrible precedent to set.

Figure out another way to reward this guy (maybe tell him that it&#x27;s a gesture of goodwill only) and reward him. It doesn&#x27;t have to be from Facebook, Inc, but he should get something from somewhere.<p>Otherwise, next time him or any of his friends find a vulnerability, they&#x27;d be tempted to share it with the people who <i>would</i> reward them, since they&#x27;ve seen firsthand that their reports to facebook seem to just get ignored. When you consider that his entire region is in turmoil, and that social media is clearly playing an important role in the uprisings across that region [whether you agree with them or not], you&#x27;ll understand our reasons for insisting that his efforts be rewarded somehow.<p>Edit 1: Not suggesting that fb intentionally ignores their reports for poor English or any other reason, but that&#x27;s clearly the impression they&#x27;re getting.<p>Edit 2: And while I have no reason to believe that this guy (Khalil) would ever report a vulnerability to some dictator&#x27;s security forces, others who have seen this story might. And those who have seen this need not be his friends either, since it&#x27;s on HN, &#x2F;r&#x2F;technology, and elsewhere.<p>Edit 3: As tszming suggested, if you don&#x27;t want to risk setting a precedent by offering cash, you could perhaps sponsor an all-expenses-paid trip (with no implications of future employment) for him to visit Facebook HQ. Granted I don&#x27;t know the legal implications of this, but it does give you a chance to buy this guy lunch and tell him in person that you do appreciate his efforts, motivate him to continue reporting any vulnerabilities he finds, and tell him to encourage his friends to do the same. Actions speak louder than words, and there&#x27;s no question this would have a far bigger impact than the dismissive two-liner he received, even if the intention was the same.

So what does this guy gets for reporting one of the most relevant bugs that could have exploited the privacy of a billion people? PEANUTS!<p>When the top guys behave like this about rules, it clearly shows a lack of conscience. Rules are made to keep 99.9% of mess at bay.<p>This guy invaded the privacy of say 1-2 people that too to when the relevant authorities didn&#x27;t respond in the correct manner, and saved the invasion of privacy of millions at least.<p>And what privacy? only a relevant post (not a spam) on profile of the company&#x27;s biggest authority.<p>Yeah someone probably died of laughter from that post&#x2F; breach of privacy... So DUMB!

So they get the exploit and fix it without paying the person who found it. These kinds of actions lead exploit finders to instead pursue rewards through the black market. Very sad indeed.

The OPs English is not excellent (but way better than my Arabic)...but I&#x27;d be interested in hearing the FB responder&#x27;s rationale for dismissing the initial submission. Language barrier aside, the link and the image provided should speak for themselves.<p>But perhaps the bug-hotline gets so much spam that the OP came off as junk email to the FB dev team? Just skimming over his email, I&#x27;m struck by how much poor punctuation and capitalization triggers my mental spam alert (and that&#x27;s before even reading the actual contents).

Wow, upvoting this and I really hope it goes viral and FB gets called out for it. Hopefully he can get the bug bounty he deserves. That&#x27;s incredibly sleazy of FB to treat him this way.

Looks like if you edit facebook in firebug while you are posting a link to your newsfeed you can change the source userid which is not validated&#x2F;checked and gets posted even though you dont have the permission to do it

Have to agree with everyone here. The first email gives enough information to base a case on. Enough to simply do a quick search and verify these people aren&#x27;t friends. I get less information than this from users for a product we support, it&#x27;s frustrating, but if you don&#x27;t investigate each lead as a potential you run the risk of having it snowball.<p>Shame on Facebook for dismissing this guy&#x27;s reward due to the lazy actions of one employee. It would have taken one question, or one 5 minute validation of the claims to make this a non issue.

This obviously is cause of language barrier. It seems bug reporter didn&#x27;t have any evil intentions but was just trying to get attention of facebook so this can be fixed. so I think he should paid. maybe you can ask for an apology for tampering user data as he was wrong on that part but still he did discover a valid flaw in facebook&#x27;s iron clad security.

I submitted a bug to Facebook&#x27;s whitehat disclosure 3 or 4 months ago. Got no response whatsoever, except an automated response. The bug still exists. The bug allows users to post as though they are other users on the timeline. I think that is pretty serious, but I guess they do not.

I don&#x27;t think you guys understand. You can&#x27;t publicly use the exploit and then back away and use the white hat system after the fact. It clearly shows him spamming some profile before even making the first contact.

The guy gave more info on his education than the exploit he was reporting. How is he surprised that they didn&#x27;t take him seriously?

My view: If they fixed the &quot;bug&quot;&#x2F;security hole, credit should be given.<p>The TOS stuff i think i a bit shity. Partly cause they made him do it(more than necessary)

So Facebook refuses to pay this guy? So now this white hat hacker will next time, sell the hack and make a lot more money... Way to go Facebook, you&#x27;ve fucked up again.

What a terrible way to report a vulnerability. In no emails did Khalil clearly demonstrate how to reproduce it despite giving &quot;repro steps&quot; which weren&#x27;t reproduction steps at all. I understand there is a language barrier but that&#x27;s just pathetic.

Of course in hindsight they should have been more diligent, but how many reports do they receive per day? But I see no excuse for not paying the guy for finding a serious flaw in their system, especially dismissing it on &#x27;TOS&#x27; grounds.

And they expect people to continue reporting bugs to them? Really?

Ugh, they handled his disclosure like such typical dismissive nerds. Disgraceful.

In my opinion good faith should be taken into consideration here. It sounds like he didn&#x27;t understand the TOS as it was not in his native language. This didn&#x27;t hurt facebook at all and saved them a lot of trouble. I don&#x27;t get why they don&#x27;t just pay up and say thank you. As well as giving him a copy of the TOS in Arabic to avoid future misunderstandings.

Just as your disclosure emails provide almost no information whatsoever, your blog post was also pretty devoid of useful explanation.

Long time ago a friend and me once submitted a whitehat bug that allowed the user to send messages to anyone even if they disabled messages from non-friends, i don&#x27;t think this option still exists but anyways Facebook told us this wasn&#x27;t a bug, we didn&#x27;t even argue, suckers! i now wish i did the Same as Khalil and recorded the bug.

I had helped a friend report a security vulnerability to Facebook. It was similar in the sense that it allowed anyone who knew 2 Facebook usernames (easy to do) to post a private message to someone that would appear to come from a friend. You didn&#x27;t even need to be authenticated on Facebook to do it and could do post it from any machine on the Internet.<p>At first Facebook was similarly dismissive that it wasn&#x27;t a bug. My friend pushed a bit to convince them with additional details and examples of how it could be easily used for exploits. They finally saw the light. The bug was fixed and my friend got paid $1K which wasn&#x27;t much for the bug&#x27;s seriousness. In any case it got fixed and my friend got acknowledged so it&#x27;s OK.<p>It&#x27;s a bit of a pity, thought, that they didn&#x27;t see it to be serious at first. I would have expected any mediocre engineer to skip a hearth beat when learning of such a bug in their system.

I find it harsh of Facebook that without technical leverage they do not pay out bounties.

Shitty move from facebook, because 1°) this is a major security issue, 2°) could have done a lot of damages, 3°) who coded this in the first place, seriously?<p>Come on guys, just give him the money.

Can you provide details on how the exploit works? Even in Arabic as am pretty sure someone will be able to provide a good enough translation for us.

One on of my issues with FB is that its not easy to report a problem or get any kind of support (although its a free service). In one day, I lost over 100 facebook friends with no explanation. Its obviously a little humiliating to have everyone think you defriended them. I hadn&#x27;t seen the issue before, nor could I report it anywhere..

I bet posting on Zuck&#x27;s wall helped awake the WH team as well .. <a href="http://rt.com/news/facebook-post-exploit-hacker-zuckerberg-621/" rel="nofollow">http:&#x2F;&#x2F;rt.com&#x2F;news&#x2F;facebook-post-exploit-hacker-zuckerberg-6...</a>

If I was this guy, I would rather say screw it than trying to get attention by posting to Mark&#x27;s wall. Given the recent cases in the USA (e.g. he used wget!!!), Facebook could give a massive slap and sue him. And probably win.

Blissful ignorance. Next time guy like this will either do a lot of damage or sell the exploit to those who will pay.<p>Every security report should be taken seriously regardless it comes from a well known expert or just a guy from Palestine.

To all the commenters that think Facebook should pay this guy: he became &quot;the guy who hacked Mark Zuckerberg ON Facebook&quot; overnight. I guess that this will probably open some doors for him, and if not, he&#x27;s still become famous. :)<p>Maybe Mark should just hire the guy to replace the initial bug responder.

taking into account fogginess of emails of the researcher and amount of emails FB whitehat receives daily... I am not surprised they said it&#x27;s not a bug.<p>PROTIP: Reports should have PoC and be concise. No information about your bachelor degree should be attached.

Lets hope that OP doesn&#x27;t have anymore security vulnerabilities in hand because if he do, FB will pay the price of not paying him for the first time :)

Well the good news is that in the end he&#x27;ll probably get something because of all the ruckus we&#x27;ve made! So good job peeps!

That is discouraging further reports... You should get paid Khalil. Hope it all works out.

Did someone post this to Reddit yet? This guy should get the bounty.

So, how much money did he miss out on?

that&#x27;s what happens when mr zuckerberg don&#x27;t listen :P

or hire the guy. &quot;Job : unemployee :&#x2F;&quot;

ابضاي يا ابن بلدي

Unfortunate situation, but I suspect that the overwhelming majority of HN would have dismissed this out of hand (though it is perfect hindsight to now say they should have worked harder, etc). It reads like minimal-effort ramblings.