Facebook fixes timeline bug, cites language trouble in delay
A researcher in Palestine broke Facebook's rules by using a bug to post a message on Mark Zuckerberg's Timeline
IDG News Service - A Facebook engineer blamed language difficulties and documentation issues for a delay in fixing a bug that let a security researcher post directly to founder Mark Zuckerberg's Timeline, which is restricted if two users aren't friends.
Khalil Shreateh, who lives in Palestine, demonstrated the vulnerability by writing a message on Zuckerberg's Timeline after an earlier bug report he submitted wasn't acted upon, according to his blog.
The flaw was then fixed on Thursday, wrote Facebook software engineer Matt Jones. The social networking site on Sunday confirmed Jones' post, which attributed the delay to the volume of reports Facebook receives and communication issues.
"For background, as a few other commenters have pointed out, we get hundreds of reports every day," he wrote. "Many of our best reports come from people whose English isn't great - though this can be challenging, it's something we work with just fine and we have paid out over $1 million to hundreds of reporters."
Shreateh violated Facebook's bug reporting policy by demonstrating it on a real user's page, Jones wrote. Shreateh had initially demonstrated the flaw to Facebook by posting a message on the page of a woman who went to college with Zuckerberg.
It appears from email correspondence posted by Shreateh on his blog that Facebook did not feel at first that he had found a bug. Shreateh then posted the message on Zuckerberg's timeline. His blog includes a screenshot of that message in which he apologized to Zuckerberg for taking the issue directly to the CEO.
Facebook briefly suspended but reinstated his account, advising him that his report didn't contain enough technical details. The company said he was ineligible for receiving a reward under Facebook's bug bounty program because he violated their terms of service, an email message showed.
Jones wrote that Facebook lets security researchers open test accounts so vulnerabilities aren't tested on real user ones.
"The more important issue here is with how the bug was demonstrated using the accounts of real people without their permission," Jones wrote. "Exploiting bugs to impact real users is not acceptable behavior for a white hat."
Send news tips and comments to firstname.lastname@example.org. Follow me on Twitter: @jeremy_kirk
- Social Media in Technology: A Unified Strategy for Success Find out how social media is sparking a new era of customer and industry-understanding in technology enterprises and how industry leaders are overcoming...
- Maintain Less. Create More. Spend less on maintenance and spend more time creating with Red Hat Enterprise Linux. Read on to learn how Red Hat can help...
- Flying High on the Use of Red Hat Enterprise Linux Flybe was one of the 21 companies that were interviewed for quantitative results on their operations as part of an IDC ROI analysis....
- Data Protection eGuide In this eGuide, CSO and sister publications IDG News Service, Computerworld, and CIO pull together news, trend, and how-to articles about the increasingly...
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily...
- On Demand: Mastering the Art of Mobile Content Management Mobile device usage in the enterprise has skyrocketed, and it continues to escalate. IT must answer to users who demand access to their... All Social Media White Papers | Webcasts
Our new weekly Consumerization of IT newsletter covers a wide range of trends including BYOD, smartphones, tablets, MDM, cloud, social and what it all means for IT. Subscribe now and stay up to date!