Hacker posts on Zuckerberg's timeline to report Facebook bug

When hacker Shreateh's warnings of a bug were ignored, he decided to post on Mark Zuckerberg's wall using the same bug to make his point

When Facebook went public, CEO Mark Zuckerberg released the 'Hacker Manifesto' to investors where he highlighted that the company's motto, "Move fast and break things." The company has always emphasised that hacking was key to creating new products and fixing bugs on the site.

Facebook has also encouraged hackers to find out bugs on the site and paid them rather generously.But in the case of Palestinian hacker Khalil Shreateh, who notified Facebook about a bug which allowed any user to post to anyone's timeline whether or not they were 'friends' on the network or not - he was ignored.

So Shreateh decided to go another way. Using the vulnerability, he posted on Facebook CEO mark Zuckerberg's wall. His action got the attention of Facebook security engineer, Ola Okelola, who commented on the post asking for further information on the bug."After a brief discussion, Shreateh's Facebook account got suspended "as a precaution," as another Facebook security engineer named Joshua explained to Shreateh by email," reports Mashable.com.

"Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it," Joshua wrote, says the website. "We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue." He added that Facebook would "unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service."

Hacker posts on Zuckerbergs timeline to report Facebook bug

Mark Zuckerberg in this file photo. AFP

The Terms of Service say that in case a hacker finds a bug, he or she is not allowed to take advantage of it, and if they do so, they will not be rewarded under the 'Bug Bounty' program of Facebook.

Facebook security expert Matt Jones later went on Hacker News to explain the situation. "Themore important issue here is with how the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behavior for a white hat," he says. "...In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent...in order to qualify for a payout you must "make a good faith effort to avoid privacy violations"...Unfortunately, the OP did neither of those things."

Facebook has paid over $1 million in the past two years to security researchers who report bugs on its website, with India second among recipients by country. Facebook said it started the Bug Bounty programme a little more than two years ago to reward security researchers who report issues and to encourage people to help keep the site safe and secure.

"The programme has been even more successful than we'd anticipated,"Facebook said in a statement on its website."We've paid out more than $1 million in bounties and have collaborated with researchers from all around the world to stamp out bugs in our products and in our infrastructure."

With inputs from PTI

Find our entire collection of stories, in-depth analysis, live updates, videos & more on Chandrayaan 2 Moon Mission on our dedicated #Chandrayaan2TheMoon domain.


also see