facebook500
Threat and Vulnerability Management

Facebook fixes timeline bug, cites language trouble in delay

A Facebook engineer blamed language difficulties and documentation issues for a delay in fixing a bug that let a security researcher post directly to founder Mark Zuckerberg's Timeline, which is restricted if two users aren't friends.

Khalil Shreateh, who lives in Palestine, demonstrated the vulnerability by writing a message on Zuckerberg's Timeline after an earlier bug report he submitted wasn't acted upon, according to his blog.

The flaw was then fixed on Thursday, wrote Facebook software engineer Matt Jones. The social networking site on Sunday confirmed Jones' post, which attributed the delay to the volume of reports Facebook receives and communication issues.

"For background, as a few other commenters have pointed out, we get hundreds of reports every day," he wrote. "Many of our best reports come from people whose English isn't great - though this can be challenging, it's something we work with just fine and we have paid out over $1 million to hundreds of reporters."

Shreateh violated Facebook's bug reporting policy by demonstrating it on a real user's page, Jones wrote. Shreateh had initially demonstrated the flaw to Facebook by posting a message on the page of a woman who went to college with Zuckerberg.

It appears from email correspondence posted by Shreateh on his blog that Facebook did not feel at first that he had found a bug. Shreateh then posted the message on Zuckerberg's timeline. His blog includes a screenshot of that message in which he apologized to Zuckerberg for taking the issue directly to the CEO.

Facebook briefly suspended but reinstated his account, advising him that his report didn't contain enough technical details. The company said he was ineligible for receiving a reward under Facebook's bug bounty program because he violated their terms of service, an email message showed.

Jones wrote that Facebook lets security researchers open test accounts so vulnerabilities aren't tested on real user ones.

"The more important issue here is with how the bug was demonstrated using the accounts of real people without their permission," Jones wrote. "Exploiting bugs to impact real users is not acceptable behavior for a white hat."

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

PREVIOUS ARTICLE

« The worst deals in tech: Are you being fleeced by these 7 overpriced products?

NEXT ARTICLE

Dell drops $299 Windows RT tablet, cheapest offer now $479 »
author_image
IDG News Service

The IDG News Service is the world's leading daily source of global IT news, commentary and editorial resources. The News Service distributes content to IDG's more than 300 IT publications in more than 60 countries.

  • Mail

Recommended for You

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Amazon Cloud looms over China: Bezos enters Alibaba home ground

Lewis Page gets down to business across global tech

Poll

Do you think your smartphone is making you a workaholic?