Startup to Facebook: Want to see the security flaw we found? Come to Tel Aviv & get it yourself

Startup to Facebook: Want to see the security flaw we found? Come to Tel Aviv & get it yourself

a scrappy Israeli security startup that says it accidentally discovered a flaw in Facebook’s mobile applications, has a harsh message for the social media giant: Take a hike!

“Look. I understand they’re frustrated. But we’re a startup. Our job is to grow, not fix Facebook’s problems for free,” said MyPermissions chief executive officer Olivier Amar from his home in Tel Aviv.

MyPermissions’ hackers discovered the vulnerability in Facebook’s mobile apps — a flaw that prohibits users from logging off — Thursday.

According to a blog post on MyPermission’s site yesterday,  the vulnerability lets app makers “make it impossible for you to revoke an app’s permission to access your information.”

Ordinarily, Facebook allows you to revoke permission from apps that you no longer want or trust. With MyPermissions’ script, however, that revocation is impossible. If you try to revoke the app’s permission, you get an error screen in iOS as well as Android versions.

MyPermissions says they’ve been working with Facebook engineers to help them plug the gap.

Facebook requested the script, and Amar told the Palo Alto based media giant no dice.

MyPermissions is a 10-employee security startup that aggregates and protects user passwords when logging onto mobile devices.

Amar heatedly denied suspicions that his startup was generating press in order to be acquired or violating “white hat” ethics that call for developers and hackers to be transparent and work together.

Shawn Davenport from  says cooperation is imperative, pointing to his company’s which offers rewards to users who discover hardware and software holes.

Facebook has a similar rewards program.

“Participants work closely with us to disclose vulnerabilities responsibly, so we can work together to improve security for our customers. Once a vulnerability has been resolved, researchers are free to disclose their work publicly, which benefits the entire community,” Davenport said in an email.

Amar — a Montreal-born Canadian — expressed exasperation at Facebook’s requests for the script his engineers spent three days writing.

He pointed out that MyPermissions was the one who gave Facebook the heads-up in the first place.

“If Facebook had more companies like us, it would be a much better place. But we’re small. We have a burn rate, and they obviously don’t appreciate the 60-plus hours our guys have put into this,” Amar said.

Facebook, for their part, said they’ve been unable so far to replicate the script. They say engineers have determined the bug doesn’t effect users logging into Facebook from desktops, just mobile devices.

Facebook says there’s no evidence of a major security flaw or that user accounts have compromised.

Amar said the problem is potentially huge because it could theoretically allow malware to be inserted into the Facebook user stream.

“They won’t give us the script. It’s in everyone’s interest to get to the bottom of this,” a Facebook spokesperson said, calling the situation an “assumption of vulnerability” coming from the team at MyPermissions.

“We heard about this 24 hours ago,” the Facebook spokesman said. “We’re working to get to the bottom of it.”

MyPermissions raised more than $1 million last year in venture funding. The mobile application manages and protects user data and how its shared by websites users visit. When users’ login information is synched to, say, Pandora or Linkedin, MyPermissions users are notified with an alert.

“Look, if they want the script then they can fly over here to Tel Aviv and get it themselves,” Amar says.