Facebook denied student internship due to messenger security hole he used

    Three months ago, Harvard student Aran Khanna was preparing to start an internship on Facebook, but a couple of hours before the trip she received a call with a refusal . The reason was the student’s “unethical" behavior: Khanna published a Chrome extension that shows the location of posts on Facebook Messenger. The messenger sends this data by default with each message from the mobile application.



    Marauder's Map application (the name should be familiar to Harry Potter fans) - extension for Google Chrome, which uses data from the Facebook messenger to compile a map: it shows the places where users sent messages. There were only people from the group chat on the map — Aran knew all of them. This means that a hypothetically unfamiliar person could see that Aran wrote a message in the messenger while in Starbucks.

    Facebook Messenger has been working since 2011 - by default, it sends data about the user's location from the moment it is launched. In 2012, CNET wrote about this “property”, showing how it is possible to disable the function. The application received many updates, including funny emojis with cats, but the company did not remove the geolocation settings. Khanna often used the messenger, but did not know that he shared so much data until he looked at the message history.

    image
    Aran Khanna and Mark Zuckerberg

    On May 26, Khanna posted a post on the Marauder's Map on Medium , after which the extension was downloaded eighty-five thousand times. Three days later, Facebook asked the developer to disable the application and at the same time turned off the transfer of location data on personal computers, which in any case blocked the operation of the "Map".

    A week later, Facebook released an update for the Messenger, mentioning in the release: "After this update, you will get full control over when and how you share data about your location." In the release, the company did not mention that previously the default settings sent location data, and that without installing the update, users will continue to send this data.

    A Facebook spokeswoman said the company had been working on an update for the Messenger long before Khanna posted the post, and said the preparation process took several months.

    Khanna published a study in the Harvard journal Technology and Science. He explained that the purpose of the application is to show the consequences of an unintentional data exchange. So users can decide for themselves whether this is really a violation of their privacy.

    In 2012, CNET posted a video on how to turn off location sharing on Facebook Messenger. But only nine days after the publication of Aran in 2015, an update appeared that asked the user if he wanted to send this data.



    image

    Three days after the publication of “The Marauder's Card” and two hours before Aran was supposed to go on an internship, he received a call from Facebook and was denied cooperation due to violation of Facebook’s user agreement - because he hacked into a site to receive data. Khanna did not agree with Facebook because he used information that was accessible to all users, which he took from his own messages.

    In 2012, Mark Zuckerberg in a letter to investors said: “We have created a unique culture and management system that we call the Hacker Way” and “Be Brave”: it turned out that courage and hacking have limitations.

    In 2013, a Palestinian developer, Khalil Shriteh, reported a bug on Facebook, which allows any user to place a link on someone else’s page. Shritech wanted to get a reward for the vulnerability found, but the company refused him, saying that "this is not a bug." The developer decided to notify Mark Zuckerberg himself of the error found and posted a message on his page using this vulnerability. Khalil never received the money: Facebook “cannot pay you for this vulnerability because your actions violated our terms of service.”

    image

    Also popular now: