If your name is Mark Zuckerberg of Facebook, well you’ve been “hacked”. Khalil Shreateh, a self-professed IT expert from Palestine, claims to have discovered a vulnerability that lets anyone post a link to other Facebook walls. He also claims he reported the bug to Facebook recently, and he was given the cold shoulder.
According to a lengthy blog post outlining the timeline of events, IT expert says he tested the vulnerability on Sarah Goodin — a friend of Facebook CEO Mark Zuckerberg, and the first woman to sign up to the service — before reporting it through Facebook’s whitehat disclosure service for security researchers. For those who have no idea, whitehat service rewards researchers with at least $500 for successful bugs.Despite attaching a screenshot of the post, a Facebook security engineer, identified only as Emrakul, replied saying “I am sorry this is not a bug,” without asking for additional information.
Unfazed by the reaction, Shreateh decided to notify Mark Zuckerberg himself by posting to his timeline. Within a short time, Facebook security engineer Ola Okelola contacted Shreateh requesting details on the exploit. In a stupid move, Facebook disabled his account, presumptively fearing a wider security breach. Fortunately, Shreateh’s account has now been re-enabled, but the company claims his original report “did not have enough technical information” for them to take action. He later received an email from a Facebook security engineer — identified as Joshua — claiming the company is “not able to pay you for this vulnerability because your actions violated our Terms of Service.”
In a response posted on Hacker News, a Facebook engineer writes that the bug was fixed on Thursday and that the company should have asked for additional instructions after the researcher’s initial report. But Facebook reiterated claims that Shreateh violated the company’s Terms of Service.