Palestinian hacker Khalil Shreateh discovered a glitch that allows anyone to post to a stranger's Facebook wall
A hacker from Palestine found a Facebook glitch that allowed anyone to post on a stranger’s wall, but when the company ignored his warnings he took them all the way to the top by posting about the issue on Mark Zuckerberg’s wall.
Khalil Shreateh first contacted the Facebook security team after proving the glitch was real by writing on the wall of a friend of the Facebook founder.
But instead of thanking him and fixing the issue, Facebook said it wasn’t a bug. And because of the methods Shreateh used to finally convince them of the threat, Facebook later denied him the reward usually given to programmers who report holes in the site’s security.
‘My name is Khalil Shreateh. I finished school with B.A degree in Information Systems . I would like to report a bug in your main site (www.facebook.com) which i discovered it...The bug allow Facebook users to share links to other facebook users , I tested it on Sarah.Goodin wall and I got success post.’
Shreateh, whose first language is Arabic, lives in Palestine and is in no way connected with Zuckerberg’s fellow Harvard alum Goodin. He hoped his ability to post to her page, nonetheless, would help prove his case to Facebook security.
Pictured: Only your friends are supposed to be able to write on your Facebook wall, but using the glitch he found, Shreateh wrote about the issue on CEO and founder of Facebook Mark Zuckerberg's wall
Watch video of Shreatah explaining the Facebook glitch...
However, instead of repairing the obvious security breach, Facebook replied to Shreateh by saying the issue ‘was not a bug.’
Undeterred, Shreateh used the glitch to hack his way onto Mark Zuckerberg’s Facebook page.
‘Sorry for breaking your privacy,’ he wrote in a since removed post to Zuckerberg, ‘I had no other choice…after all the reports I sent to Facebook team.’
Shreateh went on to recount his attempts to warn the website and posted a grab of the post on his blog.
Minutes later, his pleas were answered. Facebook contacted him demanding to know how he’d hacked their bosses personal page.
‘We fixed this bug on Thursday,’ wrote Matt Jones from Facebook’s security team in a Saturday post on Hacker News.
Facebook has a bounty program designed to bribe hackers into reporting glitches they find rather than exploiting them. Such validated reports are worth $500.
Smiling now? He was ignored twice by Facebook security, but Shreateh got a speedy response when he posted to Zuckerberg's wall. But he won't get the usual $500 reward because he violated their terms of service
But in his post, Jones explains that Shreateh will not be getting his money.
‘In order to qualify for a payout you must "make a good faith effort to avoid privacy violations" and "use a test account instead of a real account when investigating bugs,”’ Jones writes.
By posting to Zuckerberg and Goodin’s accounts, says Jones, Shreateh violated the terms of service and will not be rewarded for his find.
Nonetheless, Facebook welcomes Shreateh to inform them of any additional glitches he finds for them in the future.
‘[We] will pay out for future reports from him,’ writes Jones, ‘if they're found and demonstrated within these guidelines.
Victim? Zuckerberg uses Facebook to post about big life events, such as his marriage to Priscilla Chan, just like everyone else. And like everyone else, Zuckerberg's account was vulnerable to the glitch Shreatah found
After Facebook ignored a report of the bug Shreateh sent, the hacker posted to Zuckerberg's wall and got a speedy response
But Facebook won't pay the normal $500 bounty to Shreatah because they say his intrusive methods broke the rules