Saturday, June 24, 2017
Home / Security / Exploits / Facebook Exploit ignored after report

Facebook Exploit ignored after report

Facebook Exploit  “post to Facebook user when they are not on friends list” discovered by Khalil Shreateh  states on his blog, that he has discovered this exploit and reported it to Facebook.

Days ago i discovered a serious facebook vulnerability that allows a facebook user to post to all facebook users timeline even they are not in his friend list .

Shreateh reported it via http://www.facebook.com/whitehat and received this message back:

klR7t2U

The researcher then demonstratedthe exploit for the Facebook security team which is in denial.

Ashampoo_Snap_2013.08.12_02h52m42s_001_

The security team denied all of it stating it was not a exploit, you can read their email below:

a minute after that i got my account disabled ,as they said facebook has all the right to disable any facebook account without any reason given , i made another report asking facebook security to reactivate my account , this is the email shows my report including their replay :

Dear Khalil,
 Facebook disabled your account as a precaution. When we discovered your activity we did not fully know what was happening. Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it. We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue. When you submit reports in the future, we ask you to please include enough detail to repeat your actions.
 We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site.
 We have now re-enabled your Facebook account.
 Joshua
Security Engineer
Facebook
-----Original Message to Facebook-----
From: [email protected]
To: 
Subject: bypass facebook posts to timeline privacy
 Name: Khalil Khalil
E-Mail: [email protected]
Type: privacy
Scope: www
Description: ok , this is the third time i report this bug , 
 i know that you guys now know that it’s a bug for sure after 
facebook.com/ola deactivate my account which is facebook.com/khalil.iz.sh
 i want my account back soon as possible , as i report the bugs for you and i didnt use another fake accounts or test accounts to break privacy .
 although my account contains important messages that some of my friends need them back .
 https://fbcdn-sphotos-d-a.akamaihd.net/hphotos-ak-ash3/1174822_10200988067716575_1496625129_n.jpg
 repro:
 this the last post i made before " www.facebook.com/ola " deactivate my account ,
i had no choice after you guys replay twice back again to me that this is not a bug . 
 https://fbcdn-sphotos-d-a.akamaihd.net/hphotos-ak-prn1/543398_10151865722018885_1202186069_n.jpg

The researcher has now released a point of concept (POC) video for the Facebook team.

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

Amazon hacked – hacker leaks 80,000 login credentials

A hacker going by the name 0x2Taylor has said to have breached the servers of …