Facebook fixes timeline bug, cites language trouble in delay
A researcher in Palestine broke Facebook's rules by using a bug to post a message on Mark Zuckerberg's Timeline
IDG News Service - A Facebook engineer blamed language difficulties and documentation issues for a delay in fixing a bug that let a security researcher post directly to founder Mark Zuckerberg's Timeline, which is restricted if two users aren't friends.
Khalil Shreateh, who lives in Palestine, demonstrated the vulnerability by writing a message on Zuckerberg's Timeline after an earlier bug report he submitted wasn't acted upon, according to his blog.
The flaw was then fixed on Thursday, wrote Facebook software engineer Matt Jones. The social networking site on Sunday confirmed Jones' post, which attributed the delay to the volume of reports Facebook receives and communication issues.
"For background, as a few other commenters have pointed out, we get hundreds of reports every day," he wrote. "Many of our best reports come from people whose English isn't great - though this can be challenging, it's something we work with just fine and we have paid out over $1 million to hundreds of reporters."
Shreateh violated Facebook's bug reporting policy by demonstrating it on a real user's page, Jones wrote. Shreateh had initially demonstrated the flaw to Facebook by posting a message on the page of a woman who went to college with Zuckerberg.
It appears from email correspondence posted by Shreateh on his blog that Facebook did not feel at first that he had found a bug. Shreateh then posted the message on Zuckerberg's timeline. His blog includes a screenshot of that message in which he apologized to Zuckerberg for taking the issue directly to the CEO.
Facebook briefly suspended but reinstated his account, advising him that his report didn't contain enough technical details. The company said he was ineligible for receiving a reward under Facebook's bug bounty program because he violated their terms of service, an email message showed.
Jones wrote that Facebook lets security researchers open test accounts so vulnerabilities aren't tested on real user ones.
"The more important issue here is with how the bug was demonstrated using the accounts of real people without their permission," Jones wrote. "Exploiting bugs to impact real users is not acceptable behavior for a white hat."
Send news tips and comments to firstname.lastname@example.org. Follow me on Twitter: @jeremy_kirk
- Social Media in Technology: A Unified Strategy for Success Find out how social media is sparking a new era of customer and industry-understanding in technology enterprises and how industry leaders are overcoming...
- Energizing Life's Work If your life's work is about caring for people in a business context, the latest digital and social innovations from IBM can help...
- Become a Social Business in the Cloud Read this solution brief to see how using IBM SmartCloud for Social Business services to become a social business can help your organization...
- Datacenter eGuide Read on to learn what technologies are essential for high-performing data centers today, and to get a glimpse of what the data center...
- It's not too late...Get Your Mobile Questions Answered Live! How can IT provide seamless and secure mobile communications and collaboration for all? Join this live Webcast as IDG asks an expert panel...
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success! All Social Media White Papers | Webcasts
Our new weekly Consumerization of IT newsletter covers a wide range of trends including BYOD, smartphones, tablets, MDM, cloud, social and what it all means for IT. Subscribe now and stay up to date!