Active Members Fi8sVrs Posted August 18, 2013 Active Members Report Posted August 18, 2013 (edited) A Palestinian information system expert says he was forced to post a bug report on Mark Zuckerberg’s Facebook page after the social network’s security team failed to recognize that a critical vulnerability he found allows anyone to post on someone's wall.The vulnerability, which was reported by a man calling himself ‘Khalil,’ allows any Facebook user to post anything on the walls of other users - even when those users are not included in their list of friends. He reported the vulnerability through Facebook’s security feedback page, which offered a minimum reward of US$500 for each real security bug report.However, the social network’s security team failed to acknowledge the bug, even though Khalil enclosed a link to a post he made on the timeline of a random girl who studied at the same college as Facebook CEO Mark Zuckerberg.“Sorry, this is not a bug,” Facebook’s security team said in response to Khalil’s second report, in which he offered to reproduce the discussed vulnerability on a test account of Facebook security expert. After receiving the reply, Khalil claims he had no choice but to showcase the problem on Mark Zuckerberg’s wall.Screenshots on his blog show that Khalil shared details of the exploit, as well as his disappointing experience with the security team, on the Facebook founder’s wall. Just minutes after the post, Khalil says he received a response from a Facebook engineer requesting all the details about the vulnerability. His account was blocked while the security team rushed to close the loophole.After receiving the third bug report, a Facebook security engineer finally admitted the vulnerability but said that Khalil won’t be paid for reporting it because his actions violated the website’s security terms of service.Although Facebook’s White Hat security feedback program sets no reward cap for the most “severe” and “creative” bugs, it sets a number of rules that security analysts should follow in order to be eligible for a cash reward. Facebook did not specify which of the rules Khalil had broken.Somewhere between the second and third vulnerability reports, Khalil also recorded a video of himself reproducing the bug. www.youtube.com/watch?v=F9J8U9ZpEnw In its latest reply, Facebook reinstated Khalil’s account and expressed hope that he will continue to work with Facebook to find more vulnerabilities.Via: http://rt.com/news/facebook-post-exploit-hacker-zuckerberg-621/ Edited August 18, 2013 by Fi8sVrs Quote
andrei98M Posted August 18, 2013 Report Posted August 18, 2013 Ce tigani sunt astia de la Facebook Quote
danger2u Posted August 18, 2013 Report Posted August 18, 2013 io nu le spuneam nimic si il tineam ptr minef*ck facebook Quote
Bebe Posted August 18, 2013 Report Posted August 18, 2013 Doamne, cate puteai sa faci cu treaba aia.. Quote
EAdrian Posted August 18, 2013 Report Posted August 18, 2013 “Sorry, this is not a bug,” Dac? nu este un bug, atunci de ce mor?ii lor l-au reparat? Quote
seboo00111 Posted August 18, 2013 Report Posted August 18, 2013 Once again it has been proven that FB is full of idiots Quote
sebywarlord Posted August 18, 2013 Report Posted August 18, 2013 Nu a fost prost,a fost whitehat,dar din pacate a dat de niste nesuferiti Quote
seboo00111 Posted August 19, 2013 Report Posted August 19, 2013 @sebywarlord;Ba a fost prost, daca team-u care se ocupa cu "securitatea" FB-ului i-au zis ca nu ii dau nimic, crezi ca ii dau daca vad ca a postat "dubios" pe peretele lu' Zuck?Cine-i atat de tampit sa creada ca Zuck isi citeste singur postarile de pe wall? Normal ca au citit "aia" care se ocupa de imaginea lui ( manageru' , cine dracu' o fi ) si i-au dat-o in gat.Bine i-au facut Quote
alexandrubr Posted August 19, 2013 Report Posted August 19, 2013 nu sunt mare hacker, defapt nu sunt hacker, da' am vazut ca daca cineva are profilul privat eu pot sa ii vad poza de profil in full size. cum? pai simplu, dau click dreapta view image si apoi modific link-ul, adica sterg parametrii si gata, ai imaginea de profil full...am dat un raport (acum 2 luni) cand am descoperit asta dar degeaba... nu stiu daca e mare chestie dar daca eu am profilul privat...de ce sa nu fie 100% privat, daca tot ne laudam ca suntem cea mai mare retea de socializare din lume, nu?! P.S. rst nu permite sa vezi avatarul in full size si da o eroare de genu "XSSi - not allowed" sau ceva de genu ... -> felicitari!P.S.(2) daca a mai descoperit aceasta mica eroare deja, sorry, nu am luato de la el ci sunt un altu' pe care l-a dus capu' sa faca o chestie atat de simpla.. Quote
dekeeu Posted August 19, 2013 Report Posted August 19, 2013 (edited) Uitati-va putin pe blogul tipului si vedeti cum a trimis el primele doua rapoarte celor de la facebook. Nicio explicatie , nimic, doar un link aruncat aiurea.. Pai ii cred si eu pe inginerii aia ca n`au inteles cum e cu vulnerabilitatea, daca asta e praf, si nu stie sa faca un raport.Pentru cei interesati , his blog : facebook vulnerability 2013 | khalil - ???? Edited August 19, 2013 by dekeeu Quote
alexandrubr Posted August 19, 2013 Report Posted August 19, 2013 eu am trimis explicat pas cu pas, tot...degeaba Quote
Active Members Fi8sVrs Posted August 21, 2013 Author Active Members Report Posted August 21, 2013 a luat 10k usdKhalil Shreateh - Facebook Bounty by Marc Maiffret - GoFundMesource: Zuckerberg's Facebook page hacked to prove security exploit - CNN.com Quote
Maximus Posted August 21, 2013 Report Posted August 21, 2013 a luat 10k usdKhalil Shreateh - Facebook Bounty by Marc Maiffret - GoFundMesource: Zuckerberg's Facebook page hacked to prove security exploit - CNN.comeu as fi facut 20k din asta ... si tot asa ... Quote
me.mello Posted August 24, 2013 Report Posted August 24, 2013 (edited) Mai dal in mortii masii de sarac, NU EL A DESCOPERIT EXPLOITUL, acum ceva vreme (cateva luni...nu stiu exact ) se vindea exploitul asta din pakistan sau emiratele arabe...nici asta nu mai stiu exact, din cate stiu era si pe rst un articol...in fine se vindea cu 500$, acum ca a s-a tinut sa descopere el vechiul exploit, l-a furat, ia fost dat sau chiar cumparat e partea 2a, dar aici e vorba de acelasi exploit, ba mai mult exploitul ala mai puteai sa scrii pe timeline de la un user la altul fie ca ii ai in lista sau nu.Sa fim seriosi acum, eu zic ca nici bug nu a fost, daca va-ti fi uitat un pic in cod va-ti fi dat seama si de ce, eu sincer stiam de treaba asta si ma credeti sau nu e 100% acelasi cod (ex: <input type="hidden" name="xhpc_targetid" autocomplete="off" value="163592527017735"></input> ) , probabil au omis metoda de verificare si totodata eroarea: "Could not post to wall. The message could not posted on this wall." Acum fraierii care au cumparat exploitul au luat-o in gura.Mda cam asta face saracia si lacomia din oameni, si-ar fi dorit si el sa lucreze la facebook, dar pana si el si-a luato in gura.Uimit am fost cand am vazut video-ul postat mai sus, e bine macar ca cnn-ul il victimizeaza si il pupa in fund, cine stie poate chiar o sa-i dea ceva si lui, cine stie poate chiar el este cel care a descoperit vulnerabilitatea precizata mai sus si nu a putut vinde exploitul.fb o fi mare dar nu e de nepatruns, mai au si ei greseli before: http://i39.tinypic.com/2ug2p15.jpgafter:http://i43.tinypic.com/2gumoaa.jpgLE: Faceti ceva cu scriptul, orice host as posta imaginile imi da 404...poate e doar la preview... Edited August 24, 2013 by me.mello Quote