Palestinian IT researcher Khalil Shreateh discovered a huge security vulnerability of Facebook. He used that bug to directly post on Facebook founder and CEO Mark Zuckerberg’s own timeline last week. His aim was to directly report a bug he discovered after the social networking site’s White Hat Security Team ignored him a couple of times.
Shreateh found that he could easily post something on just about anyone’s Facebook timeline, even if that person is not included in his friends’ list. It could be done just by grabbing any individual’s Facebook ID and performing some copying and pasting activities. He produced a video to demonstrate how it is done and posted it at YouTube.
Shreateh recalled that he did not get any response from Facebook’s security team when he first reported the vulnerability. On his second report, the team initially told him that what he found was not a bug. The researcher was certain the bug was a severe one but he was disappointed that the Website’s security team did not take him seriously. That was when he thought he would get attention.
The response he got after posting on Zuckerberg’s timeline was quicker than he expected. Just within several minutes, Shreateh obtained a reply from one of the site’s security engineers. The engineer asked for more details about the bug.
The interesting response of Facebook to such a situation did not end there. Despite helping the company to identify and resolve vulnerability, Shreateh was punished when the social network temporarily disabled his account. It also refused to provide any reward or compensation for the discovery of the bug.
Facebook explained this action through underlining a specific provision on its Terms of Service, which it claimed was violated by Shreateh. The company reiterated that the hack breached a fundamental policy about how the site works: No one should post or write on somebody’s wall except if he is a friend of that someone. Ironically, Facebook hopes that Shreateh would continue to help the Website find possible vulnerabilities within it.
The company has a White Hat Program that provides monetary rewards to independent security researchers for unveiling and reporting security bugs to the Facebook security team. Facebook has already paid over $1 million over the last two years to researchers who have reported bugs. Should Shreateh qualify for the incentive?
For comments and suggestions, leave a message in the comments section below. Like and Follow our Facebook page for more stories and to stay up-to-date with the latest happenings.