Friday, 3 January 2014
A Developer discovers a bug to re-enable poll questions and Facebook says: NOT A BUG!
Yesterday, An Egyptian Programmer and Information Security Analyst Mohamed AbdelBaset sent a report to Facebook security team telling them that he successfully bypassed the "Posting Check System" and re-enable the "Poll Questions" option again for the Fan pages which the Facebook administration had disabled it. Also, he could make it works on any personal profiles which wasn't enabled at any time before. he explained in his report that any big fan page or a public celebrity facebook account that has huge number of fans and interactions can make that to collect data and statistics and sell them to the interested companies which he think it was the main reason that facebook has to disable this feature.
But, As usual the Facebook Security team didn't admit it as a BUG. After a while he recieved this email:
"Hi Symbian,
The ability to post questions does not constitute a security or privacy issue: there is no risk to user data or privacy here.
Thanks,
Godot
Security
Facebook"
He explained more than once that this report is not a "Security Issue", but it compatible with two of "Bounty conditions". The first is "Privilege Escalation", because he can skip "Posting System" rules. And the second is "Circumvention Platform Permission Models", because he skipped the permission models. But they didn't admit it. Then he got this email:
"Hi Symbian,
As said we don't consider this a security vulnerability. I am closing out this ticket now.
Thanks,
Emrakul
Security
Facebook"
