Entries with tag bug bounty.

Facebook Pays Big Bug Bounty

Facebook has awarded a bug bounty to a researcher who found a vulnerability in its support dashboard that would let hackers delete photographs from a user’s page. The company paid Arul Kumar, an independent security researcher based in India, $12,500 for his detailed report. The support dashboard portal lets users track the progress of reports they make about posts or photos that are abusive or that otherwise violate Facebook’s terms of service. The code that sends this information to Facebook is visible to the user and, thus, could be modified, Kumar discovered. This let him delete the photo from any account. Facebook has reportedly fixed the vulnerability. (PhysOrg)(TechCrunch)

Researcher Demonstrates Facebook Bug with Post to Zuckerberg

A Palestinian hacker frustrated at a non-response from Facebook in attempting to post a bug he found to the company’s White Hat program, decided to demonstrate it by hacking Mark Zuckerberg’s account. Khalil Shreateh discovered a vulnerability that allows a user to post to anyone’s wall, friend or not. After his initial report, he was told by a member of the security team that it was not a bug. He then responded by posting a note to Zuckerberg’s wall, stating he had “no other choice.” Shreateh said he was immediately contacted by Facebook security seeking details of the exploit and, just as quickly, had his Facebook account disabled. Facebook claims there was insufficient technical detail provided by Shreateh, which did not allow them to replicate the bug. "Exploiting bugs to impact real users is not acceptable behavior for a white hat," the engineer wrote, adding that researchers are allowed to create test accounts to aid their research. Although Facebook has a bug bounty program with a $500 minimum bounty, it is not paying Shreateh as his actions in attempting to report the finding violated Facebook’s Terms of Service. Facebook admits it should have asked Shreateh for more details. “We get hundreds of reports every day. Many of our best reports come from people whose English isn't great - though this can be challenging, it's something we work with just fine and we have paid out over $1 million to hundreds of reporters,” Matt Jones told reporters. “We should have pushed back asking for more details here.” The bug has been fixed. “Both Facebook and Shreateh could have handled this better,” notes Larry Seltzer on ZDNet. “I hope they find a way to get Shreateh the money because he deserves it in spite of the arrogant way he demonstrated the bug.”  (CNET)(ZDNet)(The Telegraph)(Khalil Shreateh Blog)
 

Showing 2 results.