NEWS ANALYSIS: Two incidents late last week illustrate what Facebook is doing right and what it is doing wrong to secure its hundreds of millions of users.
Facebook is one of the world’s most popular social networking destinations and a favorite target for hackers and security researchers alike. Two incidents this past week demonstrate the breadth and the limitations of Facebook’s current security model.
In the first incident, a security researcher exposed a vulnerability in Facebook by publicly exploiting the account of founder Mark Zuckerberg.
In the same time period, Facebook’s automated-scanning tool got tripped up by a false positive that led to an app outage.
In the Mark Zuckerberg Facebook Wall attack, security researcher Khalil Shreateh reported that he found a flaw and alerted Facebook. Shreateh alleges that Facebook ignored his report, so he was left with no other recourse than to demonstrate his flaw by publicly attacking Zuckerberg’s Facebook wall.
Facebook disagrees that Shreateh properly disclosed the flaw.
A Facebook spokesperson told eWEEK that his company’s official response to the issue was made in a comment on the popular Hacker News discussion forum. In that response, Facebook engineer Matt Jones, noted that the researcher did not provide complete information and violated Facebook’s terms of service by testing the flaw on a real account, for which he had not obtained user consent.
Facebook has a bug-bounty program that rewards researchers for properly disclosing flaws. Earlier this month, Facebook reported that it has paid out more than $1 million in bug bounties to researchers over the last two years.
The Zuckerberg wall hacking incident and Facebook’s security programs overall are seen in both a positive and negative light by different security researchers.
“The fact that Facebook has open channels of communication, and a bug-bounty program, are clearly things they are doing right,” WhiteHat Security CTO Jeremiah Grossman told eWEEK. “Unfortunately, in this case, a language barrier got in the way of a vulnerability report, but Facebook was able to respond very quickly and fix the issue before more people, other than their CEO, were impacted.”
Chester Wisniewski, senior security advisor at Sophos, has a different viewpoint. Wisniewski noted that Facebook has long been understaffed for fielding security issues. “They liken their 1 billion users to that of a nation, yet are sorely under-invested in their national security,” Wisniewski said. “Having sufficient resources to address security concerns would likely have resulted in a more positive outcome.”
The issue, said Ken Westin, a security researcher at Tripwire, is the communication channels available to researchers to communicate security issues to Facebook. “Initially, Facebook’s bug-bounty team ignored the vulnerability that Khalil Shreateh submitted, twice telling him it was not a bug,” Westin told eWEEK. “It was only after he exploited the hole that Facebook’s security team requested more information; unfortunately, this is all too common.”