A few days ago (but for some reason this only reached the French IT press today), there’s been this story about this Khalil Shreateh guy, who seems to be currently freelancing as a security researcher.
To summarize it briefly, he reported a security issue to Facebook through the Facebook whitehat program, but his 2 reports were rejected (the second reply he got being “I am sorry this is not a bug” (!)). So he performed a proof a concept on
Suckerberg’s Zuckerberg’s account, and now suddenly this became a valid bug: his account was temporarily locked until he contacted the bug report crew to sort things out. But they told him they wouldn’t pay for the bug (the whitehat program is supposed to give away rewards of 500$ or more per reported vulnerability), precisely because… he performed the apparently needed proof of concept. For the sake of clarity, the bug was that anyone could post on any other person’s timeline (a feature normally reserved to friends of the person owning the timeline)
The reason why I’m posting about this here (you may have noticed this is not usually a newspaper ^^) is because the few articles I read about it terrible. Oh yeah, and also because the vulnerability seemed to be trivial (hence the post title). The guy made a blog post explaining, I believe in good faith an accurate details, all what happened. If you’re (somewhat) used to bug reporting and basic security practices in web development and have a bit of time, just read his post. Otherwise, here’s a quick summary:
- the guy speaks poor English. I don’t mean this as a criticism, just as a fact that contributed to:
- his “reports” being indeed quite poor: they massively lacked explanations. A usual bug/vulnerability report is supposed to at least describe (even briefly) the steps to generate the issue. His just described the result, what’s more
- he chose a private (hidden) profile to perform the demonstration, so the engineer who received the report didn’t have access to the posting (and despite all the nasty things going with the NSA, and Facebook’s terrible privacy in general, it seems that, surprisingly enough, engineers are not allowed to access private posts). But at that point (first report),
- the Facebook security guy just replied he couldn’t see the post instead of asking for more accurate details (and perhaps a POC on a test account). A poor reply leading to another,
- Khalil’s second report was basically the same as the first one plus a screenshot,
- yet the issue, although (very) poorly described, was quite obvious.
- Still, the security guy’s second response was clear: “this is not a bug”.
- Khalil then performed the exploit on Zuckerberg’s wall (just to post a description of the exploit itself), to give it the attention that it should have gotten in the first place. He should have performed that on a test account though.
So, he made poor reports, and targeted a couple of real accounts for his demonstrations. Still, the vulnerability was real and the demonstrations were made in good faith, with no intention to harm. The second one was made on Zuckerberg’s account in order to tell Facebook about the problem, after the communication issue with the security
idiot guy. The first one, well I believe maybe it was made accidentally during the discovery of the vulnerability. I think so mainly because of the choice of sarah.goodin in as target account. She’s not a famous person (a least not that I know of), he likely doesn’t know her, but she was a very early user of the site. More specifically her account number is 33. I think there’s a possibility that he typed that number at random when probing for the vulnerability.
Which leads me to my last point, the vulnerability itself. At the end of his post, Khalil posted a video (warning: Youtube) showing how the exploit is performed. Although, just like his vulnerability reports, the video fails at showing all the steps, it shows enough to assume with a fair degree of certainty that the vulnerability only involves some trivial manipulation of the wall posting source code. I checked the current code: it contains the user ID of the wall you are posting on. Probably the hack was just to replace that ID with the ID of your target and voilà. I don’t remember very accurately, but probably this was one of the first exercise on hackthissite.org when I used to play around (just had a quick look, lots of sad news on the front page at the moment :/). All this to say: this was a trivial vulnerability. The only reason it was hard to find is because it is such an obvious malpractice that you would assume that a big
brother site such as Facebook would know better than this. Well, it turns out they don’t. And they don’t even pay up when someone comes and does the idiot check they should have done themselves in the first place…
PS: Ok, that was quite poorly written. In my defense it’s getting late here, and still it’s much better written than the original bug reports 😉