.png)
An IT expert takes to the social network CEO's timeline to demonstrate the vulnerability, which allowed anyone to post to other users' walls even if "When we discovered your activity we did not fully know what was happening," an engineer who identified himself as "Joshua" told Shreateh. "Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it. We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue."
Joshua also informed Shreateh that he would not be receiving a bug reward for reporting the exploit because he violated the site's terms of service. "We do hope, however, that you continue to work with us to find vulnerabilities in the site," he wrote.
A Facebook security engineer responded Saturday in a Hacker News post that the vulnerability was fixed Thursday and conceded that Shreateh should have been asked for more details on the issue after his initial report. Along with offering inadequate information about the bug, Shreateh's post to Zuckerberg's timeline violated the social network's responsible disclosure policy, the security engineer wrote.
"Exploiting bugs to impact real users is not acceptable behavior for a white hat," the engineer wrote, adding that researchers are allowed to create test accounts to aid their research.
Ref: cnet.com
Ref: cnet.com
0 comments:
Post a Comment