Most of us put our data online based on the trust that it will not be misused or abused. It is an unspoken agreement between the user and the company that the platform will make sure that the user does not face any sort of discomfort on the platform unless otherwise stated.
In last few years, Facebook has received a lot of flak for allegedly compromising on users’ security. Most big tech companies have programs to reward white hat hackers for finding security flaws in their system. Facebook's reputation in this regard has never been up to the mark. In August 2013, Khalil Shreateh, a hacker from Palestine, wrote to Facebook about a bug which allowed him to post on anyone's wall. Facebook dismissed his warnings, so Khalil took an alternate route and posted directly to Mark Zuckerberg's wall. After the incident, Facebook security contacted Khalil and acknowledged the bug and rectified it.
In 2012, Arstechnica, an online publication from ‘Condé Nast’, featured a story, which said that Facebook does not delete images from their servers and was storing images even after three years when the user had deleted them. It was not clear whether it is a deliberate attempt at storing users’ data or just another misstep in a long series of mistakes by Facebook.
In most bug bounty/reward programs, the bug is not made public until it is rectified, and the company offering the reward often notifies the hacker once it solves the issue. However what would you do if a company says it has rectified the bug without actually rectifying it and allows the hacker to make the bug public? Based on the severity of the bug and the number of users, it is easy to estimate the amount of damage done.
But what should be done if the company in question is Facebook and the extent of damage is unimaginable. Earlier this year, we featured Vivek Bansal in one of our ‘Techie Tuesdays’ column. Vivek discovered a bug in Facebook security which allowed him to post to anyone's wall on Facebook without the requisite permission. Vivek reported the issue to Facebook. But unlike Khalil's case, the issue was promptly acknowledged and even a bounty was issued to him. He was also inducted into the Facebook Hall of Fame.
However, the story does not end here. Soon after the bounty, Vivek received a message from the Facebook team that the issue was resolved and he is now free to talk about it publicly. Vivek discussed the issue with us, and it was picked up by other media as well. Recently, Vivek was able to exploit the same security vulnerability using the same method. This left everyone vulnerable as the method to crack it was out in public (considering there is a video showing how to post to anyone's wall).
The possibilities of leaving a security hole out in the open are endless. This could be a goldmine for a spammer or someone who wants to market their product. It would not take them more than a couple of lines of code to write a script which could post on people’s walls. It would be worse if it was used to spread panic or propaganda by posting different messages on people's walls.
One thing which is unclear is that if the bug was never patched, what purpose does the illusion of patching the bug serve? Facebook could have asked Vivek to keep quiet about the bug and not share it publicly. Vivek wrote to the Facebook team about this but did not receive any response until he went public with his findings. After many sites went ahead and published his findings, the Facebook team responded saying the measure they take is not preventive but reactive(catch abuse after it has taken place), which means they will act only after the damage has been done.
Now this raises a number of questions: Is there no way to act and take preventive measures considering the fact that they have some of the best minds in the world working with them? What is the purpose of spreading the illusion of safety when it is not safe actually?