Facebook, which offers a bounty of US$500 or more to anyone who discovers a bug in its system, has come under fire for refusing to reward an out-of-work Palestinian programmer who reported a vulnerability that let people post to strangers’ accounts without authorization.
The programmer, Khalil Shreateh, resorted to hacking Facebook CEO Mark Zuckerberg’s page to prove his point after the company first ignored, then repeatedly dismissed, his report.
Facebook decided against paying Shreateh the bounty, explaining on Hacker News that this was because Shreateh had violated its terms of service by posting items to the Facebook pages of users he should not have had access to.
Shreateh later posted the sequence of events on his blog, triggering outrage and expressions of support from most commenters.
“I am surprised [Facebook is] refusing to pay the bounty,” Rob Ragan, senior security associate at Bishop Fox, told TechNewsWorld. “If they choose not to recognize the submission because the researcher went public with this information, then that is their prerogative. The entire situation seems like an opportunity to improve the process.”
Facebook declined to provide further details.
A Memorable Facebook Experience
Shreateh notified Facebook through the company’s White Hat pages of the bug, which let any Facebook user post to other Facebook users’ timelines even if they were not friends.
A member of Facebook Security responded, only to say he received an error message when he clicked on the link Shreateh had sent in.
Shreateh then emailed the Facebook team again, notifying them of the vulnerability and providing a link to the page of Sarah Goodin — the first woman to join Facebook way back when — on which he had filed a post without her authorization to prove his point.
Facebook apparently maintained that there was no bug, so Shreateh made a post on Zuckerberg’s own timeline and sent a link to that over to the Facebook team.
Minutes later, Facebook security engineer Ola Okelola requested details of the exploit. Shreateh complied, and Facebook then disabled his account.
When Shreateh asked Facebook to reactivate his account, he was told it had been disabled as a precaution. He was also told his report did not have enough technical information for Facebook to act on it and that he would not be paid the bounty because he had violated the company’s ToS. Facebook also re-enabled his account.
Shooting the Messenger
“To compound the error by not rewarding the white hat hacker is just poor policy and sends a message that the bug submitter is entirely culpable for the fiasco,” Jason Wong, director of product marketing at SilverSky, told TechNewsWorld.
In fact, Facebook’s staff had themselves failed to follow standard operating procedure. For example, they should not have dismissed Shreateh’s posting to White Hat out of hand without asking for technical details.
“It appears that Facebook employees followed through on the bug report, but what they failed to do was recognize the potential severity of the bug,” Wong remarked. “Clearly, they did not pursue the matter as much as they should have.”
The Zuck’s Dilemma
It could be that Facebook fears it may set a legal precedent if it pays Khalil for his discovery despite the fact that he breached its ToS.
Hypothetically speaking, a cybercriminal could then actually perform a malicious hack and then turn around and ask for a bounty later for the flaw he exploited, in effect getting rewarded twice for bad behavior.
Nonetheless, privacy “must be part of the brand promise for all social media companies and so must be taken seriously by all their employees,” Wong concluded, “even if a privacy issue ends up being a wild goose chase.”