Facebook fixes timeline bug, cites language trouble in delay
A researcher in Palestine broke Facebook's rules by using a bug to post a message on Mark Zuckerberg's Timeline
IDG News Service - A Facebook engineer blamed language difficulties and documentation issues for a delay in fixing a bug that let a security researcher post directly to founder Mark Zuckerberg's Timeline, which is restricted if two users aren't friends.
Khalil Shreateh, who lives in Palestine, demonstrated the vulnerability by writing a message on Zuckerberg's Timeline after an earlier bug report he submitted wasn't acted upon, according to his blog.
The flaw was then fixed on Thursday, wrote Facebook software engineer Matt Jones. The social networking site on Sunday confirmed Jones' post, which attributed the delay to the volume of reports Facebook receives and communication issues.
"For background, as a few other commenters have pointed out, we get hundreds of reports every day," he wrote. "Many of our best reports come from people whose English isn't great - though this can be challenging, it's something we work with just fine and we have paid out over $1 million to hundreds of reporters."
Shreateh violated Facebook's bug reporting policy by demonstrating it on a real user's page, Jones wrote. Shreateh had initially demonstrated the flaw to Facebook by posting a message on the page of a woman who went to college with Zuckerberg.
It appears from email correspondence posted by Shreateh on his blog that Facebook did not feel at first that he had found a bug. Shreateh then posted the message on Zuckerberg's timeline. His blog includes a screenshot of that message in which he apologized to Zuckerberg for taking the issue directly to the CEO.
Facebook briefly suspended but reinstated his account, advising him that his report didn't contain enough technical details. The company said he was ineligible for receiving a reward under Facebook's bug bounty program because he violated their terms of service, an email message showed.
Jones wrote that Facebook lets security researchers open test accounts so vulnerabilities aren't tested on real user ones.
"The more important issue here is with how the bug was demonstrated using the accounts of real people without their permission," Jones wrote. "Exploiting bugs to impact real users is not acceptable behavior for a white hat."
Send news tips and comments to firstname.lastname@example.org. Follow me on Twitter: @jeremy_kirk
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Business of Social Business Social business represents a significant transformational opportunity for organizations. Read this whitepaper to learn more.
Red Hat Enterprise Linux - The Original Cloud Operating System
Linux adoption is growing against a number of measures, such as the
number of supercomputers that run Linux and the size of the contributing...
- OpenStack Hype vs. Reality: CIO Quick Pulse Open-source architecture can enable IT departments to build infrastructure-as-a-service (IaaS) clouds running on standard hardware.
- Building a Bridge to the Next Generation Data Center Selecting a widely adopted operating system is a foundational component of a standardization strategy.
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Social Media White Papers | Webcasts