Oh boy, Facebook critical vulnerability drama . . . here we go again. Yet another hacker claims to have reported a big Facebook bug that would allow an attacker to delete anyone’s account. He claims that Facebook is refusing the pay the Bug Bounty, but did close the security hole.
First, Facebook denied there was a bug when Khalil Shreateh reported a vulnerability that would allow an attacker to post on anyone’s wall. Shreateh, in turn, showed the vulnerability was real enough when he posted details on Mark Zuckerberg’s wall. Although that tactic had Facebook engineers quickly reaching out to Shreateh, he was denied the bug bounty. It turned out OK for Shreateh because he was paid, but by a crowdsource campaign started by security researcher Marc Maiffret. It successfully collected over $13,000 in donations for Shreateh, which makes the $500 bounty from Facebook look paltry.
After mentioning the challenge of dealing with hundreds of reports daily, including those “from people whose English isn’t great,” Facebook Security Engineer Matt Jones said Facebook wouldn’t pay because the bug was exploited on an account of a real person without his permission as opposed to being demonstrated on a test account.
Then this week, security researcher Arul Kumar reported a Facebook bug that would allow anyone to delete a photo from Facebook. He was paid a whopping $12,500 by Facebook’s white hat Bug Bounty program. In a video showing his exploit, Arul also used Zuck’s account but never actually deleted a photo from a “real person’s account.”
EDITOR'S UPDATE -- Sept 6, 2013, 10 AM -- Ehraz Ahmed contacted Computerworld this morning and asked that we remove our discussion of his blog post. Since he has removed access to the post, we want to inform our readers that it is no longer visible at the links below.
EDITOR'S UPDATE -- Sept 5, 2013, 5 PM Facebook is calling Ahmed's claim a hoax. The official statement, provided to Computerworld by Michael Kirkland, communications manager at Facebook, says:
This is not a real bug. We've audited our code to verify that there's no variant of the proposed exploit that works against this endpoint or any other that we've found. Furthermore, we've verified in our logs that the 'test account' being used in the demonstration video was manually deactivated by visiting https://www.facebook.com/deactivate.php."
A security engineer from Facebook also says,
This is simply a hoax. The html source shown in the video clearly says "No test user was deleted". We've verified in our logs that the victim account was manually deactivated by visiting https://www.facebook.com/deactivate.php. Anyone can visit https://www.facebook.com/whitehat/accounts/ and verify that the query parameter used by this endpoint is selected_test_users not selected_users. We've also audited our code to verify that there's no variant of this exploit that works against that endpoint or any other that we've found. In fact, the most recent code change to this endpoint was in April and was routine maintenance that had no security implications.
Facebook Bug Bounty eligibility states that to qualify for a monetary reward:
Please use a test account instead of a real account when investigating bugs. When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing. Do not interact with other accounts without the consent of their owners.
The Facebook Security Team paid out over $1 million dollars in the last two years since starting the Bug Bounty program. After the messy media storm when Facebook did not pay Shreateh for posting on its CEO’s private timeline, Facebook admitted it failed in its communication with the hacker and dismissed the issue too hastily. The company also announced two changes to the program. “(1) We will improve our email messaging to make sure we clearly articulate what we need to validate a bug, and (2) we will update our whitehat page with more information on the best ways to submit a bug report.”
We will not change our practice of refusing to pay rewards to researchers who have tested vulnerabilities against real users. It is never acceptable to compromise the security or privacy of other people. In this case, the researcher could have sent a more detailed report (like the video he later published), and he could have used one of our test accounts to confirm the bug.
The moral to this story? It seems to be that no matter how critical the vulnerability, Facebook will not pay if you don't first try a test account to prove the flaw exists, and if that doesn't work, then don't touch another person’s account without their permission. Elsewhere, other people have jokingly commented that the moral to the story is to report it to Facebook and if the security team blows you off, then sell it as a zero day for big bucks.