Thursday, August 22, 2013

Posted by Unknown
No comments | 12:00 PM


Facebook, which offers a bounty of US$500 or more to anyone who discovers a bug in its system, has come under fire for refusing to reward an out-of-work Palestinian programmer who reported a vulnerability that let people post to strangers' accounts without authorization.
The programmer, Khalil Shreateh, resorted to hacking Facebook CEO Mark Zuckerberg's page to prove his point after the company first ignored, then repeatedly dismissed, his report.
Facebook decided against paying Shreateh the bounty, explaining on Hacker News that this was because Shreateh had violated its terms of service by posting items to the Facebook pages of users he should not have had access to.
Shreateh later posted the sequence of events on his blog, triggering outrage and expressions of support from most commenters.
"I am surprised [Facebook is] refusing to pay the bounty," Rob Ragan, senior security associate at Bishop Fox, told TechNewsWorld. "If they choose not to recognize the submission because the researcher went public with this information, then that is their prerogative. The entire situation seems like an opportunity to improve the process."
Facebook declined to provide further details.
A Memorable Facebook Experience
Shreateh notified Facebook through the company's White Hat pages of the bug, which let any Facebook user post to other Facebook users' timelines even if they were not friends.
A member of Facebook Security responded, only to say he received an error message when he clicked on the link Shreateh had sent in.
Shreateh then emailed the Facebook team again, notifying them of the vulnerability and providing a link to the page of Sarah Goodin -- the first woman to join Facebook way back when -- on which he had filed a post without her authorization to prove his point.
Facebook apparently maintained that there was no bug, so Shreateh made a post on Zuckerberg's own timeline and sent a link to that over to the Facebook team.
Minutes later, Facebook security engineer Ola Okelola requested details of the exploit. Shreateh complied, and Facebook then disabled his account.
When Shreateh asked Facebook to reactivate his account, he was told it had been disabled as a precaution. He was also told his report did not have enough technical information for Facebook to act on it and that he would not be paid the bounty because he had violated the company's ToS. Facebook also re-enabled his account.



سخعقؤث: http://www.technewsworld.com

0 comments:

Post a Comment

toto

Blogroll

Translate this blog

About