"First, sorry for recessing your privacy and post(ing) to your wall," wrote Khalil Shreateh. "I (have) no other picks to type after all the reports I sent to (the) Facebook team."
Shreateh, who describes himself as an unemployed defense scientists with a degree in information systems, said he found a pothole in Facebook's procedure that let him positions to any user's page, including exploiter not on his Friends list.
Such an stunt would be a virtual gold diggings for spammers, deception artists and others hunting to income advantage of the site's closely 1 billion users worldwide.
Shreateh said he contacted Facebook security about the vulnerability before using it to location to Mark Zuckerberg\'s page.
Shreateh said he contacted Facebook security roughly the vulnerability before using it to condition to Mark Zuckerberg's page.
On his blog, Shreateh posted a battery of e-mails he said were exchanged between him and Facebook security. After the first one, a Facebook employee responded that the link he attached was bad.
Man exposes Facebook security fault Zuckerberg pushes immigration overhaul Thumbs up for Facebook shares
Shreateh had included a post -- an Enrique Iglesias video -- he says he posted on the page of a woman who went to college with Zuckerberg. He speculated that Facebook's security panels couldn't see it because they weren't on her Friends list.
Somebody buy Mark Zuckerberg some clothes
Facebook responded to his assistant intimation to say the issue he was reporting was not a bug.
His response: "ok that mean(s) I have no choice other than report this to target himself on facebook."
Needless to say, that got their attention.
Facebook says the blame was fixed on Thursday. But over the weekend the occurrence began creation headlines on tech blogs.
On the Hacker News website, Facebook security board organ Matt Jones wrote that the language barrier with Shreateh, who is not a native English speaker, and the displacement of reports the site receives were partly to blame for the site's slow response.
"Unfortunately, all he submitted was a link to the positions he'd already made (on a actuality description whose accord he did not have) ... saying that 'the bacteria allow facebook users to share links to other facebook users,' " Jones wrote.
"For background, as a few other commenters have pointed out, we get hundreds of reports every day. Many of our best reports come from people whose English isn't great -- though this can be challenging, it's something we vocation with just penalty and we have paid out over $1 million to hundreds of reporters."
Because he violated Facebook's terms of service by hacking the pages of other users, Shreateh is not eligible to receive a reward under the site's White Hat program designed to discovery and predicament bugs.
Shreateh, who says he has been observing for business for two years, activity in the Palestinian city of Yatta, in a area where the unemployment rate is officially 22% and is higher among manhood in their 20s, like Shreateh.
"I could sell (information closely the flaw) on the black (hat) hackers' websites and I could make more mescaline than Facebook could pay me," he said in an nomination with CNN. "But for me -- I am a good guy. I don't incident with the black (hat) stuff."
In hacker circles, "white hat" is a semester for clan who report deed they find so they tins be fixed, while "black hat" often refers to clan who hack to proceeds advantage of those exploits.
He said he's proud that, as a Palestinian using a five-year-old laptop with broken keys and a broken battery, he had the skills to find a problem with one of the world's biggest websites. But he acknowledged hoping his tip would lead to a reward from Facebook.
"I never asked them, 'I poverty $4,000 or $5,000'," he said. "I didn't affair with them like that ... . (But) I really needed that money."
Security scientists Marc Maiffret launched an online performance Monday to pay Shreateh the crack Facebook denied him and had raised more than $8,800 by early Tuesday. "Let us all send a announcement to security researchers across the den and opinion that we appreciate the efforts they type for the good of everyone," Maiffret said on the GoFundMe page.
Facebook's Jones acknowledged that the security staff should have asked Shreateh for more information.
"I have to admit that I have some sympathy with Facebook on this issue," security analyst Graham Cluley wrote on his blog. "Although he was frustrated by the critique from Facebook's defense team, Shreateh did the injustice thing by using the flaw to opinion a message on Mark Zuckerberg's wall."
He would have been better served returning to Facebook's security strip with more evidence and further explaining it or, if that didn't work, carrying the dope to a technology journalist to report, Cluley said.
0 comments:
Post a Comment