Tuesday, August 20, 2013

Facebook's bug reporting system bug

The story goes around the Web. Khali, a young hacker, reported a Facebook vulnerability enabling others to have unauthorised access to your timeline and actually post on it. After not getting attention by Facebook developer support staff, he actually posted it to Zuckerberg's profile. Then, security engineers got more interested, contacted him for more information and eventually solved the bug, as the story goes.

Facebook has an award for verified security bug reports (of min. $500). However, considering that Khali broke the service rules, did not attribute him the award. Facebook Security group profile is now flood by user comments asking to "pay up the guy".

However, Khali did not reveal the bug in question. He also revealed a bug in Facebook bug reporting system. Generally, to report a bug you have to show how to reproduce it (usually by a screenshot of the problem). Thence, you have to actually reproduce it.

According to Facebook rules, bug reporters on security issues should use a test account. Still, test accounts "Cannot post to a page's Wall". So, Khali, who discovered a vulnerability enabling him to "post to a page's Wall" could not have used a test account. More over, as he comments in his page, for Facebook staff to access the vulnerability illustration, they actually had to break the terms of service and check the profile of the user who's privace has been violated by the exploit...

Of course, Khali could have made two test accounts, use the one to break the other's privacy and then show it - but then of course Facebook staff should access the second profile to verify it.

And, admittetly, when you're a young hacker, I guess there is no many things that could be as fun as report a bug to Zuckerberg in person...

The vulnerability is, in my view, in Facebook's bug reporting system. They should have already had "punching bag" user profiles, where such exploits could be tested, in the way Anti-virus developing enterprises leave some computers exposed to the net in order to catch new viruses - and thus identify them.

As terms of use are essential to the good functioning of a service, term of use violating exploits are valuable to know. While a "test profile quarantine" is a good solution, it was proven it is not sufficient.

No comments: