Almost every software that has been developed till date has bugs in it. Applications are very complicated and the chance of presence of an error is always high that the developers didn’t fix at the time of developing. This mere verity is the reason why many a software organizations provide “bug bounties” or cash prizes for invoking such issues. The reason being that it makes the software more procured, also it helps to motivate the white hat people to discover the problem rather than having the black hat people exploit without informing anybody. Facebook had created its own bounty program abut two years ago.
Last night, RT news described that a security investigator originating from Palestine going about by the name of Khalil reconciled a bug report to the Facebook’s security team. The second response that he got from the team is that “I am sorry this is not a bug”. Tired of his efforts trying to convince the Facebook security, he decided to reach directly the CEO of Facebook, Mark Zuckerberg. This is what he posted in Zuckerberg’s timeline,
“Dear Mark Zuckerberg,
Firstly I am very sorry for breaching your privacy and posting to your wall, I had no other way
after I had sent all the reports to the Facebook team.
My name is Khalil from Palestine. A couple of days ago I found out a Facebook exploit which permits the users to post to other user’s wall while they are not in their friend list. I reported this vulnerability twice, at the first time I got a reply which said that my link has an error while opening, the second time it said that “sorry this is not a bug”. Both the reports I had sent from www.facebook.com/whitehat and as you can see the present scenario, I am not in your friend list yet I have posted this on your timeline.
The last email from my side to is given in the link below which also includes the Facebook team reply,
http://pastebin.com/zzi2WYK6 .
I value your time reading this post and request you to get someone from your company team to get in touch with me.
Sincerely,
Khalil. ”
Within a few minutes of posting the content to Zuckerberg’s wall, an official from Facebook contacted Khalil petitioning for all the particulars of the breach. The company then immediately blocked Zuckerberg’s account while they were fixing the bug. The big was fixed immediately by Facebook’s engineers but now the company is denying to pay the bug bounty to Khalil since his actions transgress the terms of service. Although he may be technically right , he should have created a test account rather than posting on a stochastic woman’s timeline. We believe that he was complying with the spirit of rules and also he should be paid off for his discovery. As Facebook has no crest on the amount they give away for security consequences, the least amount is $500.
Faultfinders are of the view that this might not have been a bug but sort of part of the NSA PRISM Program used to keep an eye on people.
Leave a Reply