+

Cookies on the Business Insider India website

Business Insider India has updated its Privacy and Cookie policy. We use cookies to ensure that we give you the better experience on our website. If you continue without changing your settings, we\'ll assume that you are happy to receive all cookies on the Business Insider India website. However, you can change your cookie setting at any time by clicking on our Cookie Policy at any time. You can also see our Privacy Policy.

Close
HomeQuizzoneWhatsappShare Flash Reads
 

Researcher: Facebook Ignored The Bug I Found Until I Used It To Hack Zuckerberg

Aug 18, 2013, 20:04 IST

ReutersNothing is supposed to show up on your Facebook Wall unless it's posted by you or your friends.

Advertisement

So when a security researcher named Khalil Shreateh from Palestine found a bug that let him post stuff to other people's Walls, he reported it to Facebook.

That bug is a spammer's dream. To prove his bug was real, Shreateh posted something to Sarah Goodin's wall, a friend of Facebook CEO Mark Zuckerberg.

He then contacted Facebook's security team with the proof that his bug was real, he explained in a lengthy blog post.

Facebook has a bounty program where it pays people to report bugs instead of using them or selling them on the black market. In this case, instead of fixing the bug and paying the researcher the $500+ fee, Facebook told him "this was not a bug," according to an email that Shreateh shared.

Advertisement

Shreateh says he tried a second time to warn Facebook and when that didn't work, he used the bug to post a message to Mark Zuckerberg's Wall.

The message said, "Sorry for breaking your privacy ... but a couple of days ago, I found a serious Facebook exploit" and explained that Facebook's security team wasn't taking him seriously.

Here's a photo of the message from Shreateh"

Khalil Khalil

That worked and fast. Within minutes a Facebook security engineer contacted Shreateh and asked for details on how he did it, Shreateh says.

Advertisement

In a post on Hacker News, Matt Jones from Facebook's security team said that once the team understood the bug they acted quickly, "We fixed this bug on Thursday."

They also temporarily suspended Shreateh's account and said they wouldn't pay him the bounty fee because, by posting to Zuck's account, he violated Facebook's terms of service. Then the Facebook team asked him to continue to help them find bugs, he says.

Commenters are split on whether Facebook ripped off Shreateh or not. Facebook says that Shreateh didn't include enough technical info when he tried to report it the bug. You can't just demonstrate the bug, you have to explain how it works.

On the other hand, he wouldn't have hacked Zuck's account if the security team had asked him for more details the first two times he tried to report it.

Facebook's full comment on what happened is posted on Hacker News. Here's the bit that explains why Shreateh was disqualified from payment:

Advertisement

"The more important issue here is with how the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behavior for a white hat. We allow researchers to create test accounts here: https://www.facebook.com/whitehat/accounts/ to help facilitate responsible research and testing. In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent."

You are subscribed to notifications!
Looks like you've blocked notifications!
Next Article