Nothing is supposed to show up on your Facebook Wall unless it’s posted by you or your friends.
So when a security researcher named Khalil Shreateh from Palestine found a bug that let him post stuff to other people’s Walls, he reported it to Facebook.
That bug is a spammer’s dream. To prove his bug was real, Shreateh posted something to Sarah Goodin’s wall, a friend of Facebook CEO Mark Zuckerberg.
He then contacted Facebook’s security team with the proof that his bug was real, he explained in a lengthy blog post.
Facebook has a bounty program where it pays people to report bugs instead of using them or selling them on the black market. In this case, instead of fixing the bug and paying the researcher the $US500+ fee, Facebook told him “this was not a bug,” according to an email that Shreateh shared.
Shreateh says he tried a second time to warn Facebook and when that didn’t work, he used the bug to post a message to Mark Zuckerberg’s Wall.
The message said, “Sorry for breaking your privacy … but a couple of days ago, I found a serious Facebook exploit” and explained that Facebook’s security team wasn’t taking him seriously.
Here’s a photo of the message from Shreateh”
That worked and fast. Within minutes a Facebook security engineer contacted Shreateh and asked for details on how he did it, Shreateh says.
In a post on Hacker News, Matt Jones from Facebook’s security team said that once the team understood the bug they acted quickly, “We fixed this bug on Thursday.”
They also temporarily suspended Shreateh’s account and said they wouldn’t pay him the bounty fee because, by posting to Zuck’s account, he violated Facebook’s terms of service. Then the Facebook team asked him to continue to help them find bugs, he says.
Commenters are split on whether Facebook ripped off Shreateh or not. Facebook says that Shreateh didn’t include enough technical info when he tried to report it the bug. You can’t just demonstrate the bug, you have to explain how it works.
On the other hand, he wouldn’t have hacked Zuck’s account if the security team had asked him for more details the first two times he tried to report it.
Facebook’s full comment on what happened is posted on Hacker News. Here’s the bit that explains why Shreateh was disqualified from payment:
“The more important issue here is with how the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behaviour for a white hat. We allow researchers to create test accounts here: https://www.facebook.com/whitehat/accounts/ to help facilitate responsible research and testing. In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent.”