Hey friend, you all might know who is Mark Zuckerburg. The people who don't know I would like to tell you that he is C.E.O of Facebook, the best Social networking website of the internet. And what if someone hacked his profile? It's shocking, no? But yes, Khalil Shreateh who is retired from Facebook security team saw a bug in Facebook through which you can post from anyone's timeline without being friend of his/her. So he messaged Facebook security team to review and fix this bug but Facebook Security dismissed his message and replied him-
He was frustrated and was thinking that how can he prove that bug, he got an idea to hack Zuckerburg's profile and post something from his profile. He thought this proof will be enough for Facebook security team but when he published it, his account was suspended within 5 minutes. He hacked Mark's profile just sitting at front of his laptop in the West Bank town of Yatta south of Hebron. The Facebook team called him and asked where is the bug and details of it. Facebook has a policy to pay person who found a bug on Facebook (minimum 500$), but they are not paying the hacker because he violated Facebook's term and conditions. Anyway, that bug is now fixed. Mat Jones from Facebook security team wrote
He also said
That was not a bug.Khalil once again submitted the bug to the Facebook security team thinking that they will now fix it but now again Facebook dismissed his warning saying
Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it," the engineer wrote in an email. We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue
He was frustrated and was thinking that how can he prove that bug, he got an idea to hack Zuckerburg's profile and post something from his profile. He thought this proof will be enough for Facebook security team but when he published it, his account was suspended within 5 minutes. He hacked Mark's profile just sitting at front of his laptop in the West Bank town of Yatta south of Hebron. The Facebook team called him and asked where is the bug and details of it. Facebook has a policy to pay person who found a bug on Facebook (minimum 500$), but they are not paying the hacker because he violated Facebook's term and conditions. Anyway, that bug is now fixed. Mat Jones from Facebook security team wrote
OK - so I work on a security team at Facebook and sometimes help with reviewing Whitehat reports. To be clear, we fixed this bug on Thursday. The OP is correct that we should have asked for additional repro instructions after his initial report. Unfortunately, all he submitted was a link to the post he'd already made (on a real account whose consent he did not have - violating our ToS and responsible disclosure policy), saying that "the bug allow facebook users to share links to other facebook users.
He also said
"We get hundreds of reports every day. Many of our best reports come from people whose English isn't great - though this can be challenging, it's something we work with just fine and we have paid out over $1 million to hundreds of reporters,"
"However, many of the reports we get are nonsense or misguided, and even those (if you enter a password then view-source, you can access the password! When you submit a password, it's sent in the clear over HTTPS!) provide some modicum of reproduction instructions. We should have pushed back asking for more details here."
No comments:
Post a Comment