If at first you don’t succeed, get a supervisor’s attention. Or, in this case, that of the chief executive officer.
A Palestinian hacker posted a Facebook security vulnerability to CEO Mark Zuckerberg’s wall earlier this week, in an attempt to alert the company to the problem after his initial reports to Facebook’s security team were rebuffed.
The hacker, who goes by the name of “Khalil,” discovered a flaw that allowed users to make posts to others’ Timeline pages without being connected to them on Facebook. Khalil said he tried reporting it to the security team earlier in the week, but made little initial headway. Consequently, he made the post on Zuckerberg’s wall by using the vulnerability itself, a high-profile way (so to speak) of getting security’s attention.
It certainly did. The security flaw was fixed as of Thursday, shortly after Khalil posted to Zuckerberg’s page.
But the story isn’t as cut-and-dried as Facebook completely ignoring the White Hat hacker’s alerts. A post made by a Facebook security team member on Web forum Hacker News said that Khalil’s limited English skills and lack of complete information made it difficult for the team to immediately respond.
This, coupled with the fact that Facebook receives hundreds of bug reports on a daily basis due to the company’s Bug Bounty program — which pays hackers who report security vulnerabilities to Facebook — complicated the issue further.
Despite this, Facebook admitted its failure to follow up in its dealings with Khalil. “We should have pushed back asking for more details here,” Facebook software engineer Matt Jones wrote on Hacker News. (Facebook confirmed that the Hacker News post was indeed made by a Facebook employee.)
The company encourages further bug reports from Khalil and other White Hat hackers looking to help the site.
A Palestinian hacker posted a Facebook security vulnerability to CEO Mark Zuckerberg’s wall earlier this week, in an attempt to alert the company to the problem after his initial reports to Facebook’s security team were rebuffed.
The hacker, who goes by the name of “Khalil,” discovered a flaw that allowed users to make posts to others’ Timeline pages without being connected to them on Facebook. Khalil said he tried reporting it to the security team earlier in the week, but made little initial headway. Consequently, he made the post on Zuckerberg’s wall by using the vulnerability itself, a high-profile way (so to speak) of getting security’s attention.
It certainly did. The security flaw was fixed as of Thursday, shortly after Khalil posted to Zuckerberg’s page.
But the story isn’t as cut-and-dried as Facebook completely ignoring the White Hat hacker’s alerts. A post made by a Facebook security team member on Web forum Hacker News said that Khalil’s limited English skills and lack of complete information made it difficult for the team to immediately respond.
This, coupled with the fact that Facebook receives hundreds of bug reports on a daily basis due to the company’s Bug Bounty program — which pays hackers who report security vulnerabilities to Facebook — complicated the issue further.
Despite this, Facebook admitted its failure to follow up in its dealings with Khalil. “We should have pushed back asking for more details here,” Facebook software engineer Matt Jones wrote on Hacker News. (Facebook confirmed that the Hacker News post was indeed made by a Facebook employee.)
The company encourages further bug reports from Khalil and other White Hat hackers looking to help the site.
0 comments:
Post a Comment