Jump to content
Fi8sVrs

Hacker posts Facebook bug report on Zuckerberg`s wall

Recommended Posts

  • Active Members
Posted (edited)

facebook-bug-exploit-zukerberg.si.jpg

A Palestinian information system expert says he was forced to post a bug report on Mark Zuckerberg’s Facebook page after the social network’s security team failed to recognize that a critical vulnerability he found allows anyone to post on someone's wall.

The vulnerability, which was reported by a man calling himself ‘Khalil,’ allows any Facebook user to post anything on the walls of other users - even when those users are not included in their list of friends. He reported the vulnerability through Facebook’s security feedback page, which offered a minimum reward of US$500 for each real security bug report.

However, the social network’s security team failed to acknowledge the bug, even though Khalil enclosed a link to a post he made on the timeline of a random girl who studied at the same college as Facebook CEO Mark Zuckerberg.

Sorry, this is not a bug,” Facebook’s security team said in response to Khalil’s second report, in which he offered to reproduce the discussed vulnerability on a test account of Facebook security expert.

2.jpg

After receiving the reply, Khalil claims he had no choice but to showcase the problem on Mark Zuckerberg’s wall.

Screenshots on his blog show that Khalil shared details of the exploit, as well as his disappointing experience with the security team, on the Facebook founder’s wall.

1.jpg

Just minutes after the post, Khalil says he received a response from a Facebook engineer requesting all the details about the vulnerability. His account was blocked while the security team rushed to close the loophole.

After receiving the third bug report, a Facebook security engineer finally admitted the vulnerability but said that Khalil won’t be paid for reporting it because his actions violated the website’s security terms of service.

Although Facebook’s White Hat security feedback program sets no reward cap for the most “severe” and “creative” bugs, it sets a number of rules that security analysts should follow in order to be eligible for a cash reward. Facebook did not specify which of the rules Khalil had broken.

Somewhere between the second and third vulnerability reports, Khalil also recorded a video of himself reproducing the bug.

www.youtube.com/watch?v=F9J8U9ZpEnw

In its latest reply, Facebook reinstated Khalil’s account and expressed hope that he will continue to work with Facebook to find more vulnerabilities.

Via: http://rt.com/news/facebook-post-exploit-hacker-zuckerberg-621/

Edited by Fi8sVrs
Posted

@sebywarlord;

Ba a fost prost, daca team-u care se ocupa cu "securitatea" FB-ului i-au zis ca nu ii dau nimic, crezi ca ii dau daca vad ca a postat "dubios" pe peretele lu' Zuck?

Cine-i atat de tampit sa creada ca Zuck isi citeste singur postarile de pe wall? Normal ca au citit "aia" care se ocupa de imaginea lui ( manageru' , cine dracu' o fi ) si i-au dat-o in gat.Bine i-au facut :D

Posted

nu sunt mare hacker, defapt nu sunt hacker, da' am vazut ca daca cineva are profilul privat eu pot sa ii vad poza de profil in full size. cum? pai simplu, dau click dreapta view image si apoi modific link-ul, adica sterg parametrii si gata, ai imaginea de profil full...am dat un raport (acum 2 luni) cand am descoperit asta dar degeaba... nu stiu daca e mare chestie dar daca eu am profilul privat...de ce sa nu fie 100% privat, daca tot ne laudam ca suntem cea mai mare retea de socializare din lume, nu?!

P.S. rst nu permite sa vezi avatarul in full size si da o eroare de genu "XSSi - not allowed" sau ceva de genu ... -> felicitari!

P.S.(2) daca a mai descoperit aceasta mica eroare deja, sorry, nu am luato de la el ci sunt un altu' pe care l-a dus capu' sa faca o chestie atat de simpla..

Posted (edited)

Uitati-va putin pe blogul tipului si vedeti cum a trimis el primele doua rapoarte celor de la facebook. Nicio explicatie , nimic, doar un link aruncat aiurea.. Pai ii cred si eu pe inginerii aia ca n`au inteles cum e cu vulnerabilitatea, daca asta e praf, si nu stie sa faca un raport.

Pentru cei interesati , his blog : facebook vulnerability 2013 | khalil - ????

Edited by dekeeu
Posted (edited)

Mai dal in mortii masii de sarac, NU EL A DESCOPERIT EXPLOITUL, acum ceva vreme (cateva luni...nu stiu exact ) se vindea exploitul asta din pakistan sau emiratele arabe...nici asta nu mai stiu exact, din cate stiu era si pe rst un articol...in fine se vindea cu 500$, acum ca a s-a tinut sa descopere el vechiul exploit, l-a furat, ia fost dat sau chiar cumparat e partea 2a, dar aici e vorba de acelasi exploit, ba mai mult exploitul ala mai puteai sa scrii pe timeline de la un user la altul fie ca ii ai in lista sau nu.

Sa fim seriosi acum, eu zic ca nici bug nu a fost, daca va-ti fi uitat un pic in cod va-ti fi dat seama si de ce, eu sincer stiam de treaba asta si ma credeti sau nu e 100% acelasi cod (ex:

<input type="hidden" name="xhpc_targetid" autocomplete="off" value="163592527017735"></input>

:D) , probabil au omis metoda de verificare si totodata eroarea: "Could not post to wall. The message could not posted on this wall." Acum fraierii care au cumparat exploitul au luat-o in gura.

Mda cam asta face saracia si lacomia din oameni, si-ar fi dorit si el sa lucreze la facebook, dar pana si el si-a luato in gura.

Uimit am fost cand am vazut video-ul postat mai sus, e bine macar ca cnn-ul il victimizeaza si il pupa in fund, cine stie poate chiar o sa-i dea ceva si lui, cine stie poate chiar el este cel care a descoperit vulnerabilitatea precizata mai sus si nu a putut vinde exploitul.

fb o fi mare dar nu e de nepatruns, mai au si ei greseli :)

before:

http://i39.tinypic.com/2ug2p15.jpg

after:

http://i43.tinypic.com/2gumoaa.jpg

LE: Faceti ceva cu scriptul, orice host as posta imaginile imi da 404...poate e doar la preview...

Edited by me.mello

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...