Facebook’s Swings And Roundabouts
This week we’ve seen Facebook get security right and wrong, says Sean Michael Kerner
Facebook is one of the world’s most popular social networking destinations and a favorite target for hackers and security researchers alike. Two incidents this past week demonstrate the breadth and the limitations of Facebook’s current security model.
In the first incident, a security researcher exposed a vulnerability in Facebook by publicly exploiting the account of founder Mark Zuckerberg. In the same time period, Facebook’s automated-scanning tool got tripped up by a false positive that led to an app outage.
The writing on the wall….
In the Mark Zuckerberg Facebook Wall attack, security researcher Khalil Shreateh reported that he found a flaw and alerted Facebook. Shreateh alleges that Facebook ignored his report, so he was left with no other recourse than to demonstrate his flaw by publicly attacking Zuckerberg’s Facebook wall.
Facebook disagrees that Shreateh properly disclosed the flaw. A Facebook spokesperson told eWEEK that his company’s official response to the issue was made in a comment on the popular Hacker News discussion forum. In that response, Facebook engineer Matt Jones, noted that the researcher did not provide complete information and violated Facebook’s terms of service by testing the flaw on a real account, for which he had not obtained user consent.
Facebook has a bug-bounty program that rewards researchers for properly disclosing flaws. Earlier this month, Facebook reported that it has paid out more than $1 million in bug bounties to researchers over the last two years.
The Zuckerberg wall hacking incident and Facebook’s security programs overall are seen in both a positive and negative light by different security researchers.
“The fact that Facebook has open channels of communication, and a bug-bounty program, are clearly things they are doing right,” WhiteHat Security CTO Jeremiah Grossman told eWEEK. “Unfortunately, in this case, a language barrier got in the way of a vulnerability report, but Facebook was able to respond very quickly and fix the issue before more people, other than their CEO, were impacted.”
Chester Wisniewski, senior security advisor at Sophos, has a different viewpoint. Wisniewski noted that Facebook has long been understaffed for fielding security issues. “They liken their one billion users to a nation, yet are sorely under-invested in their national security,” Wisniewski said. “Having sufficient resources to address security concerns would likely have resulted in a more positive outcome.”
The issue, said Ken Westin, a security researcher at Tripwire, is the communication channels available to researchers to communicate security issues to Facebook. “Initially, Facebook’s bug-bounty team ignored the vulnerability that Khalil Shreateh submitted, twice telling him it was not a bug,” Westin told eWEEK. “It was only after he exploited the hole that Facebook’s security team requested more information; unfortunately, this is all too common.”
As it turns out, there is some angst in the security research community about the speed with which Facebook actually deals with security researchers overall.
Matt Bergin, senior security consultant and project manager, CORE Security, told eWEEK that Facebook is notoriously slow when processing the payments for their bug-bounty program. Though he added that, in the Shreateh case, Facebook did act in accordance with its own stated policies for disclosure.
“Many companies that offer bug-bounty programs incentivise researchers monetarily, but proper procedures must be executed by both the researcher and the vulnerable company involved,” Bergin said. “Researchers who participate in these programs have the obligation to follow these guidelines if they expect to be paid for their efforts.”
Automatic for the people
In addition to bug reports that researchers like Shreateh make to Facebook, the social networking giant also has a number of automated-scanning technologies in place. Last week, one of those automated-scanning technologies detected a malicious pattern in some Facebook Apps, which results in thousand of apps being shut down.
While automated scanning can be a good thing, in this case there were a lot of false positives.
“We started with a broad pattern that correctly matched many thousands of malicious apps but, unfortunately, also matched many of your high-quality apps,” Facebook engineer Eugene Zarakhovsky wrote. “When we detected this error, we immediately stopped the process and began work to restore access.”
As is the case with the bug-reporting system, security researchers have different viewpoints on the effectiveness of Facebook’s automated-scanning technologies. WhiteHat’s Grossman said the technologies are, “necessary but not sufficient.”
Tim Erlin, director of security and IT risk strategy at Tripwire told eWEEK that, in this case, it sounds like Facebook took the right actions to address the problem as soon as the company found it. “Their automated-scanning efforts are a requirement to run the application business they have,” Erlin said. “In cases where an error occurs, transparency is the right policy.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Do you know Facebook? Try our quiz!