• Palestinian hacker Khalil Shreateh discovered a glitch that allows anyone to post to a stranger's Facebook wall









    A hacker from Palestine found a Facebook glitch that allowed anyone to post on a stranger’s wall, but when the company ignored his warnings he took them all the way to the top by posting about the issue on Mark Zuckerberg’s wall.

    Khalil Shreateh first contacted the Facebook security team after proving the glitch was real by writing on the wall of a friend of the Facebook founder.

    But instead of thanking him and fixing the issue, Facebook said it wasn’t a bug. And because of the methods Shreateh used to finally convince them of the threat, Facebook later denied him the reward usually given to programmers who report holes in the site’s security.

    ‘My name is Khalil Shreateh. I finished school with B.A degree in Information Systems . I would like to report a bug in your main site (www.facebook.com) which i discovered it...The bug allow Facebook users to share links to other facebook users , I tested it on Sarah.Goodin wall and I got success post.’

    Shreateh, whose first language is Arabic, lives in Palestine and is in no way connected with Zuckerberg’s fellow Harvard alum Goodin. He hoped his ability to post to her page, nonetheless, would help prove his case to Facebook security.



    Pictured: Only your friends are supposed to be able to write on your Facebook wall, but using the glitch he found, Shreateh wrote about the issue on CEO and founder of Facebook Mark Zuckerberg's wall

    Pictured: Only your friends are supposed to be able to write on your Facebook wall, but using the glitch he found, Shreateh wrote about the issue on CEO and founder of Facebook Mark Zuckerberg's wall


    Watch video of Shreatah explaining the Facebook glitch... 

    However, instead of repairing the obvious security breach, Facebook replied to Shreateh by saying the issue ‘was not a bug.’

    Undeterred, Shreateh used the glitch to hack his way onto Mark Zuckerberg’s Facebook page.

    ‘Sorry for breaking your privacy,’ he wrote in a since removed post to Zuckerberg, ‘I had no other choice…after all the reports I sent to Facebook team.’


    Shreateh went on to recount his attempts to warn the website and posted a grab of the post on his blog.



    Minutes later, his pleas were answered. Facebook contacted him demanding to know how he’d hacked their bosses personal page.

    ‘We fixed this bug on Thursday,’ wrote Matt Jones from Facebook’s security team in a Saturday post on Hacker News.

    Facebook has a bounty program designed to bribe hackers into reporting glitches they find rather than exploiting them. Such validated reports are worth $500.


    Smiling now? He was ignored twice by Facebook security, but Shreateh got a speedy response when he posted to Zuckerberg's wall. But he won't get the usual $500 reward because he violated their terms of service

    Smiling now? He was ignored twice by Facebook security, but Shreateh got a speedy response when he posted to Zuckerberg's wall. But he won't get the usual $500 reward because he violated their terms of service


    But in his post, Jones explains that Shreateh will not be getting his money.

    ‘In order to qualify for a payout you must "make a good faith effort to avoid privacy violations" and "use a test account instead of a real account when investigating bugs,”’ Jones writes.

    By posting to Zuckerberg and Goodin’s accounts, says Jones, Shreateh violated the terms of service and will not be rewarded for his find.

    Nonetheless, Facebook welcomes Shreateh to inform them of any additional glitches he finds for them in the future.

    ‘[We] will pay out for future reports from him,’ writes Jones, ‘if they're found and demonstrated within these guidelines.


    Victim? Zuckerberg uses Facebook to post about big life events, such as his marriage to Priscilla Chan, just like everyone else. And like everyone else, Zuckerberg's account was vulnerable to the glitch Shreatah found

    Victim? Zuckerberg uses Facebook to post about big life events, such as his marriage to Priscilla Chan, just like everyone else. And like everyone else, Zuckerberg's account was vulnerable to the glitch Shreatah found

    • After Facebook ignored a report of the bug Shreateh sent, the hacker posted to Zuckerberg's wall and got a speedy response

    • But Facebook won't pay the normal $500 bounty to Shreatah because they say his intrusive methods broke the rules



    When the social media profile of Mark Zuckerberg, the billionaire Facebook founder and global icon, was hacked by Khalil Shreateh, the “white hat” hacker from the occupied Palestinian territories, the message posted was respectful: “Dear Mark…sorry for breaking your privacy…”


    The 30-year-old programmer from Hebron had discovered a glitch that allowed him to post on any wall on the network. Facebook provides $500 rewards for identifying such a weakness, but rejected Shreateh’s claim, stating it violated protocol. In stepped the ethical hacker community, and over $12,000 has been crowdsourced to reward the Palestinian, who was in a good mood when we spoke.

    Metro: You could have written anything. Were you tempted to make the message spectacular?

    Shreateh: No, because it was a serious vulnerability, but I was forced to write after Facebook ignored my first and second reports. I was frustrated.

    Were you angry with Zuckerberg?

    I admire Mark, and anyone who starts a project like that. Mark built Facebook in college, it did well, he got famous and everyone would want to be like him. I have a lot of respect.

    Does this inspire you to hack more famous people and companies?

    I will keep watching for new vulnerabilities and report them, as I have done many times before. I will not break anyone’s privacy and hope that every hacker uses what they find the right way and not for the black market.

    Is this type of hacking very popular in Palestine? Will you inspire more of it?

    I can’t answer that because intelligence people will come after me. [Laughs] But many are doing this everywhere. I hope it will inspire not only in Palestine as everybody needs these skills.

    How have your friends and family reacted?

    I want to say thanks to the hacker community for their donations; I really appreciate it. My family was worried I would be in jail and never have another job, but I thought I was helping people.

    What are you planning to do with the money?

    You cannot keep money in Palestine – I am very popular now. My family wants me to get married, but I don’t.

    This story originally appeared on metro.us

    Image from khalil-sh.blogspot.ru

    A Palestinian information system expert says he was forced to post a bug report on Mark Zuckerberg’s Facebook page after the social network’s security team failed to recognize that a critical vulnerability he found allows anyone to post on someone's wall.

    The vulnerability, which was reported by a man calling himself ‘Khalil,’ allows any Facebook user to post anything on the walls of other users - even when those users are not included in their list of friends. He reported the vulnerability through Facebook’s security feedback page, which offered a minimum reward of US$500 for each real security bug report. 

    However, the social network’s security team failed to acknowledge the bug, even though Khalil enclosed a link to a post he made on the timeline of a random girl who studied at the same college as Facebook CEO Mark Zuckerberg.

    “Sorry, this is not a bug,” Facebook’s security team said in response to Khalil’s second report, in which he offered to reproduce the discussed vulnerability on a test account of Facebook security expert.


    Image from khalil-sh.blogspot.ru

    Image from khalil-sh.blogspot.ru


    After receiving the reply, Khalil claims he had no choice but to showcase the problem on Mark Zuckerberg’s wall.

    Screenshots on his blog show that Khalil shared details of the exploit, as well as his disappointing experience with the security team, on the Facebook founder’s wall.


    Image from khalil-sh.blogspot.ru

    Image from khalil-sh.blogspot.ru


    Just minutes after the post, Khalil says he received a response from a Facebook engineer requesting all the details about the vulnerability. His account was blocked while the security team rushed to close the loophole.

    After receiving the third bug report, a Facebook security engineer finally admitted the vulnerability but said that Khalil won’t be paid for reporting it because his actions violated the website’s security terms of service.

    Although Facebook’s White Hat security feedback program sets no reward cap for the most “severe”and “creative” bugs, it sets a number of rules that security analysts should follow in order to be eligible for a cash reward. Facebook did not specify which of the rules Khalil had broken.

    Somewhere between the second and third vulnerability reports, Khalil also recorded a video of himself reproducing the bug. 

    In its latest reply, Facebook reinstated Khalil’s account and expressed hope that he will continue to work with Facebook to find more vulnerabilities.


    This story originally appeared on rt.com


    After a frustrated Palestinian hacker broke into Mark Zuckerberg's Timeline to report a bug, Facebook acknowledged today that they shouldn't have ignored him. But, despite Facebook's mea culpa, the hacker may still walk away empty-handed.

    "I understand his frustration. He tried to report the bug responsibly, and we failed in our communication with him," wrote Joe Sullivan, Facebook's Chief Security Officer, in a post addressing the incident.

    Early last week, Khalil Shreateh discovered a vulnerability that allowed him to post on the Timeline of people who weren't his friends on Facebook.

    He reported the bug through Facebook's whitehat disclosure program, which promises awards to bug hunters. His report was repeatedly ignored, and he resorted to getting Facebook's attention by testing the bug on Zuckerberg's personal Timeline.

    And therein lies the problem, and the reason why Facebook refused to reward the hacker.

    Sullivan explained in his post that researchers or hackers who find bugs should never report them by using them against real users. That's precisely why Facebook gives hackers a way to create dummy accounts to test vulnerabilities, he added.

    "We will not change our practice of refusing to pay rewards to researchers who have tested vulnerabilities against real users," he wrote. "

    It is never acceptable to compromise the security or privacy of other people

    It is never acceptable to compromise the security or privacy of other people. In this case, the researcher could have sent a more detailed report (like the video he later published), and he could have used one of our test accounts to confirm the bug."


    Sullivan also explained that Facebook receives "hundreds of submissions a day," and just a small portion of those turn out to be legit.

    "As a result we were too hasty and dismissive in this case. We should have explained to this researcher that his initial messages to us did not give us enough detail to allow us to replicate the problem," he wrote.

    Following this incident, Sullivan announced two changes in the way Facebook deals with bug reports. First, "we will improve our email messaging to make sure we clearly articulate what we need to validate a bug," he wrote. And second, "we will update our whitehat page with more information on the best ways to submit a bug report."

    Even if Shreateh won't get a dime from Facebook, he still might get a reward.

    Marc Maiffret, the Chief Technology Officer of security firm BeyondTrust, launched a campaignto reward him on GoFundMe yesterday. And it has already gathered more than $8,000, slightly short of its $10,000 goal.

    "It was a good thing that he did,” Maiffret told Wired. "He might have done it slightly wrong, but ultimately it was a bug he got killed off before anyone did a bad thing [with it]."

    This story originally appeared on mashable.com

    Khalil Shreateh. Photo: Alice Su


    YATTA, West Bank – “You’ve no idea what I’ve done,” Khalil Shreateh said, bursting into the kitchen of his family’s stone-and-concrete house in the South Hebron Hills. The stocky 30-year-old Palestinian ran a hand through his already haphazard hair. “I just posted on Mark Zuckerberg’s wall.”

    “You’re kidding,” said his sister, 22-year-old Nibal. She’d just tried sending her brother a message over Facebook, and was surprised to find his account mysteriously deactivated. Now she could guess why. “Stay away from big people, brother!”

    “I’m going to take a nap,” Shreateh shrugged. “Hopefully they’ll give me back my page when I wake up.”

    Facebook CEO Mark Zuckerberg. Photo: Carlos Serrao

    It was August 14, and Shreateh had just reached halfway around the world to pull off a prank that would make him the most famous hacker in the Israeli-occupied West Bank. He’ddiscovered a Facebook bug that would allow him to post to another user’s wall even if he wasn’t on the user’s friends list. Demonstrating the bug on Zuckerberg was a last resort: He first reported the vulnerability to Facebook’s bug bounty program, which usually pays $500 for discoveries like his. But Facebook dismissed his report out of hand, and to this day refuses to pay the bounty for the security hole, which it has now fixed.

    Where Facebook failed, though, techies from across the world stepped in to fix, crowdfunding a $13,000 reward for Shreateh. Now that money, and Shreateh’s notoriety, is about to launch the former construction worker into a new life. He’s using the funds to buy a new laptop and launch a cybersecurity service where websites will be able to request “ethical hacking” to identify their vulnerabilities. And he’s started a six-month contract with a nearby university to find bugs as part of their information security unit. He hacks and reports flaws on other universities’ sites in his free time.

    “If they offer money I do not reject them, but I did not ask for money,” Shreateh says. “I don’t seek much money, only a job and a good life.”

    Shreateh’s life so far hasn’t been easy. Born in Jerusalem and raised here in Yatta, an agricultural town known for its grapes and olives, he has never stepped foot outside the West Bank. Shreateh’s mother died of a heart attack when he was 13. His father, who worked as a manual laborer for an Israeli agricultural company, died of a similar heart problem three years later, leaving Shreateh orphaned along with Nibal and two other siblings.

    That was 1999, the same year computers came to the Hebron area. Shreateh was 16, and he began taking shared taxis to Hebron to visit the city’s only Internet café, paying 10 shekels for the round-trip and 3 shekels for an hour online. Then in 2002, Shreateh discovered the world of hacking. “I got hacked by a Kuwait kid because I was talking to his cousin. I think he was in love with her,” Shreateh says. “Then I found hack forums. I started learning how to hack PCs and personal accounts.”

    Shreateh began a degree in information systems at Al-Quds Open University — eight 15-hour semesters at about $320 per semester, which took Shreateh 10 years to finish. He worked a construction job from 7 a.m. to 7 p.m., so he rarely attended class, instead studying and completing assignments at night. “At exam times I quit my work to study,” Shreateh says. “I had to delay some semesters because I didn’t always have money.”

    In the meantime he learned programming online. “You can learn anything from the Internet,” Shreateh says. “It just takes time. Months, you know, maybe years. Even my English, I learned it from chatting.”

    Shreateh eventually got his own computer (“It was Intel, I think, a big one”), and then Yatta’s local Internet café hired him as a troubleshooter. He was able to give up construction for a while, taking odd website design and e-commerce jobs with companies in Ramallah. But by 2011 he was unemployed again. Most Yatta residents work lower-level jobs in Israel. Finding a job with the big companies usually requires wasta, personal connections that Shreateh doesn’t have.

    In August, with funds running low, Shreateh decided to go back into manual labor. “I was hopeless,” he says. He called a construction company, which said they would call him back in four days. “While I was waiting, I hacked Mark,” Shreateh says with a smile.

    Shreateh discovered the bug during one of his favorite hobbies, checking potential vulnerabilities based on hacker gossip (his other favorite pastime is the game Counterstrike). He first emailed Facebook’s white hat team, expecting to qualify for the company’s two-year-old bug bounty program, which has paid $1 million to some 300 white-hat hackers in 51 countries. To demonstrate the bug, he posted an Enrique Iglesias video to the profile of Sarah Goodin, one of  Zuckerberg’s college friends.

    Goodin’s privacy settings prevented non-friends from seeing her Timeline, so Facebook’s security team couldn’t see Shreateh’s post. Shreateh exchanged three emails with them, explaining why their access was blocked and attaching screenshots of the exploit.

    Facebook’s reply was terse: “I am sorry this is not a bug. Thanks.”

    That’s when Shreateh went to Facebook’s founder himself. He posted the bug report on Mark Zuckerberg’s wall, accompanied by a message:

    Dear Mark Zuckerberg,

    First sorry for breaking your privacy and post to your wall , i has no other choice to make after all the reports I sent to Facebook team .

    My name is KHALIL, from Palestine…

    Minutes later, Shreateh’s account had been disabled. Facebook engineers contacted him for details. They fixed the bug and reactivated his account but refused to pay any bounty, saying that Shreateh had violated the conditions of its bug bounty program by testing the vulnerability on a real user’s account. Facebook’s Chief Security Officer Joe Sullivan later released a statement acknowledging they’d been “too hasty and dismissive in this case,” but also blaming an “absence of detail” in Shreateh’s report. Facebook still refused to pay the reward.

    The story went viral. Outraged at Facebook’s snubbing of a fellow ethical hacker, California security expert Marc Maiffret launched an appeal to the tech community. A former teen hacker who made his name by finding security flaws in Microsoft products, Maiffret is now CTO of BeyondTrust. He contributed the first $3,000 to a GoFundMe campaign to crowdfund a bounty for Shreateh’s Facebook exploit.

    Within a day, donors had given more than $10,000. The final amount raised was $13,125 from 303 people across the world, mostly donated in sums of $5 or $10, many with notes congratulating Shreateh and deriding Facebook.


    The West Bank town of Yatta, where Khalil Shreateh hacked Facebook’s CEO. Photo: Alice Su

    The West Bank is no easy place to be a hacker, or to do anything in the technology sphere. The occupied region depends on Israel for electricity, water and telecommunications, including the sluggish Internet that crawls into the South Hebron Hills. Shreateh has a well and three water tanks on his roof because Yatta only receives several days of running water every few months. Blackouts are common, and the town often goes without electricity for whole days in the winter.

    Partly to blame is a complex system established by the Oslo accords that splits the West Bank into three zones under different combinations of Palestinian and Israeli control. “It’s like Swiss cheese,” says George Khadder, a tech entrepreneur who worked in Silicon Valley for 13 years. He sketches how Zones A, B and C weave in, out and around each other, with chunks of Israeli settlement territory in between. “The West Bank is like an archipelago, in terms of contiguity and services. This is absolutely a problem.”

    This access gap is clear on the drive from Jerusalem to Yatta, which requires passing through a military checkpoint that bars Shreateh from entering Israel. The road to Yatta passes several Israeli settlements, sprawling over hilltops with their separate telecom systems, brightly lit streets and green, well-watered lawns. “The dogs in Israel drink more water than Palestinians,” the taxi driver laughs.

    Shreateh now lives in Ramallah, where the situation is a little better. He comes home on weekends, as does Nibal, who is studying dentistry in Abu Dis. “He’s the only one who does this computer stuff,” she says. “Our family geek.”

    Their nieces are rambunctious, dancing to an Arabic music channel blaring from the television and yelling about the Eid al-Adha crowds in Hebron. They parade around the kitchen table, showing off the new clothes they’ve just bought for the Muslim holiday – matching turtlenecks with faux fur vests – while Shreateh’s sisters laugh and croon that yes, the girls look very pretty.

    Only Shreateh is oblivious to the family buzz. He sits at a small table next to the refrigerator, wholly engrossed in his laptop screen, flicking back and forth between Hacker News, exploit forums and his own security projects. He typically stays up until 2 a.m., clacking away on the keyboard as the rest of Yatta sleeps.

    “He’s listening to Linkin Park,” Nibal says, adding that she finds it funny how “geeks everywhere like the same music.”

    Shreateh has his own website and 44,156 followers on Facebook, many of whom spam him with questions about hacking into their boyfriends’ profiles or raising their exam grades online. Shreateh ignores them. “I am an ethical hacker,” he says. “I don’t damage or destroy.”

    That makes him different from some other Palestinian hackers. The same month as Shreateh’s Facebook prank, hacktivists hijacked Google’s Palestine domain, redirecting it to a page with a Rihanna background song and written message: “uncle google we say hi from palestine to remember you that the country in google map not called israel. its called Palestine”

    This month, another group called KDMS hacked the websites of security companies AVG and Avira, among other companies, redirecting to a site displaying the Palestinian flag, a graphic of Palestinian land loss, and a similar message: “we want to tell you that there is a land called Palestine on the earth,” it read in part. “this land has been stolen by Zionist.’

    Shreateh dismisses these attacks as counterproductive. “They hacked to put a message about Palestine,” he says. “But some will say ‘Look, Palestinians are mindless. They hack everything, that’s bad.’ … Some people break the law to send a message, but I will send a message with my own name, not with a nickname. I can send a message without damaging a website.”

    He shrugs off KDMS’s invective about good Palestinians versus bad Israelis, but bubbles over when the conversation turns to good hackers versus bad hackers. He’s a citizen of the Internet, disconnected from the Israeli-Palestinian situation, wrapped in the superhero role of upholding a hacker’s ethical code in a virtual, non-occupied world.

    “There is no security today. No one is secure,” Shreateh says. That’s why people need ethical hackers to protect systems against the nonstop threat of security vulnerabilities and the black-hat hackers who exploit others for fame and money. There’s a moment of truth when you decide to take the white hat path, Shreateh says, a fork in the road when any hacker discovers a bug and decides to publicize it or get it closed instead of exploiting it for personal gain.

    “I think, if someone hacks and takes my money, how do I feel?” Shreateh asks. “You treat people how you want them to treat you.”

    As for Israeli hackers, he sees them as inferior, babied by the privilege of living without occupation. “Israeli hackers all come from university classes. They have companies and courses to teach them,” Shreateh scoffs. “Palestinian hackers come from Google search and YouTube videos. We all learned on our own.”

    Shreateh smiles, kicks off his rubber slippers and opens his laptop to check his Facebook page, which has been receiving a steady flow of messages all afternoon. He scrolls through the flood of bug reports, Metasploit gossip, requests for hacking advice and fan mail in Arabic and broken English. He chuckles at some comments and Likes others, then opens khalil-shreateh.com, pausing on the still-incomplete website for a moment. “I am the only ethical hacker in Palestine,” Shreateh says, puffing out his chest. “But for sure, there will be more like me in the future.”


    This story originally appeared on Wired.com

    Page 5 of 6

    Leave a comment