Facebook vs. Hackers: Win One, Lose One
NEWS ANALYSIS: Two incidents late last week illustrate what Facebook is doing right and what it is doing wrong to secure its hundreds of millions of users.Facebook is one of the world's most popular social networking destinations and a favorite target for hackers and security researchers alike. Two incidents this past week demonstrate the breadth and the limitations of Facebook's current security model. In the first incident, a security researcher exposed a vulnerability in Facebook by publicly exploiting the account of founder Mark Zuckerberg. In the same time period, Facebook's automated-scanning tool got tripped up by a false positive that led to an app outage.
In the Mark Zuckerberg Facebook Wall attack, security researcher Khalil Shreateh reported that he found a flaw and alerted Facebook. Shreateh alleges that Facebook ignored his report, so he was left with no other recourse than to demonstrate his flaw by publicly attacking Zuckerberg's Facebook wall. Facebook disagrees that Shreateh properly disclosed the flaw. A Facebook spokesperson told eWEEK that his company's official response to the issue was made in a comment on the popular Hacker News discussion forum. In that response, Facebook engineer Matt Jones, noted that the researcher did not provide complete information and violated Facebook's terms of service by testing the flaw on a real account, for which he had not obtained user consent. Facebook has a bug-bounty program that rewards researchers for properly disclosing flaws. Earlier this month, Facebook reported that it has paid out more than $1 million in bug bounties to researchers over the last two years.
The Zuckerberg wall hacking incident and Facebook's security programs overall are seen in both a positive and negative light by different security researchers.