Palestinian hacker channeling Snowden and Swartz becomes folk hero for Zuckerberg ‘exploite’

693 UxK9I AuSt 55
Palestinan Khalil Shreateh sits in front of his his computer at his home in the West Bank town of Yatta, Monday, Aug. 19, 2013 (Photo: Nasser Shiyoukhi/AP)
Photo of Aaron Swartz on Khalil’s facebook page

This is a great story that has gotten a lot of attention in the tech community. A Palestinian hacker named Khalil Shreateh kept reporting a bug in the Facebook code to Facebook, but techs blew him off. Finally he hacked Mark Zuckerberg’s page to post the bug there, along with an apology. “Sorry for breaking your privacy. I has no other choice… as you can see iam not in your friend list and yet i can post to your timeline.”

All hell broke loose, and Facebook cut off Shreateh’s Facebook page and also refused to give him the reward Facebook advertises for techies who discover glitches. The hacker community stepped up and rallied to reward him via a fundraising campaign on GoFundMe that has already raised over $11,000.

And now the hacker– who has used the portraits of Edward Snowden and the lateAaron Swartz, above, in his profiles– has become a global folk hero, and Zuckerberghas egg on his Facebook.

The story has been propelled by Shreateh’s devilish chops, sense of humor, and English. “Hello guys, this will be English and Arabic,” the bilingual youth wrote, in a viral video on the “exploite” that he put together to prove that he’d discovered the glitch.

AP says Shreateh has been inundated by job offers from all over the world, and his reactivated Facebook page, which now features his own portrait, lists his business representatives.

I can only imagine the political dimensions of this story. Shreateh lives in occupied Yatta, a city in the West Bank that is a core site for warehousing people who are being moved off their lands. And as Alex Kane noted to me, all Palestinian stories are political:

In the U.S., we’ve been trained to views Palestinians crudely; I imagine if you ask Americans what’s the first thing you think of when you think of Palestine, they would say Islamists, Hamas or war. But Shreateh is a reminder that this is a sophisticated society, one of the most highly educated in the world. Of course elements of Palestinian society are still tied to traditional ways of living–and there’s of course nothing wrong with that–but Palestinians are a part of our world, our hyperconnected Internet-infused world.

Right, that’s what’s thrilling about Shreateh. He destroys stereotype, and does it with brilliance, mischief, and some good oldfashioned resistance.

OK, some of the facts. From a tech site: “Snubbed by Facebook, Security researcher hacks Mark Zuckerberg’s Facebook page.”

Although Shreateh’s Facebook account was soon reactivated, he was told he wouldn’t qualify for Facebook’s bug-bounty program, which rewards researchers who find security flaws with payments ranging from $500 to $5,000.

“We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service” by making an unauthorized posting to a member’s page, the email message Shreateh received said. “We do hope, however, that you continue to work with us to find vulnerabilities in the site.”

To Shreateh, who says on his blog that he’s unemployed, this was unfair.

“I could sell” the exploit in underground malware bazaars, he told CNNin an interview. “I could make more money than Facebook could pay me.”

If you go to Khalil’s blog, “Facebook vulnerability 2013,” he tells the story himself. He gives his address as “Yatta-Hebron/Palestine,” and his job as “unemployee :/”

Days ago i discovered a serious facebook vulnerability that allows a facebook user to post to all facebook users timeline even they are not in his friend list .

His account of the “exploite” is charming. At one point he used a Zuckerberg friend’s facebook page to try and get his message across.

Sarah Goodin is the girl that was in the same college with Mark Zuckerberg .

Apparently, Palestinians don’t have Harvard worship.

Then here’s some of his traffic with facebook techs:

as usual they ignored my replay so i did report another , this email shows their replay to my second report including the report :

Hi Ḱhalil, I am sorry this is not a bug. Thanks, Emrakul Security Facebook

Well after a couple of these notes, Khalil proved his point by going to Zuckerberg’s page.

i know that you guys now know that it’s a bug for sure after deactivate my account which is& i want my account back soon as possible , as i report the bugs for you and i didnt use another fake accounts or test accounts to break privac

Facebook didn’t accept his story, and Shreateh called B.S. on it.

i replay back that facebook report page has a ” prove concept ” and i cant prove without sending pictures or video . that is bullshit

after my second report i record this video which shows the exploit , i was rush recording it cause they was able to close that exploit in any second :

Here is that video account of his “exploite”, showing a computer screen. It’s gone viral, 360,000 views, complete with the adorable exploding-hearts-graphic as Shreateh’s marker.

A commenter explained to Khalil that “reply” is not spelled “replay.”

He responded:

whatever , i dont care for miss spelling , just the idea , i never correct an underline red word ;)

Richard Odekerken, technical director of VANAD Laboratories in Rotterdam, sought to counsel him too:

Ḱhalil you should realize that making so many grammar and spelling mistakes causes you to be taken less seriously by the rest of the world.

Ondrej Zastera celebrated him:

Hi Ḱhalil,

you made a serious discover that could affect millions of people and you didn’t abuse it. You did the opposite thing – you reported it to the qualified persons.

The level of understanding is relative. If something is unclear, questions should be raised. You were obviously ready to co-operate.

No matter what, you deserve a certain kind of reward for sure. Facebook statement is just a shameful excuse for not giving it to you. You deserve a credit, not a disrespectful treatment we see here.

AP managed to get a photo of Shreateh (above) in Yatta and describes the job offers.

The stunt cost the 30-year-old Palestinian the bounty, but earned him praise — and numerous job offers — for being able to get to the boss of the world’s most ubiquitous social network.

Shreateh, who lives near the West Bank city of Hebron and has been unable to find a job since graduating two years ago with a degree in information technology, told Facebook that he found a way that allowed anyone to post on anyone else’s wall. “I told them that you have a vulnerability and you need to close it,” he told The Associated Press. “I wasn’t looking to be famous. I just wanted to make a point to Mark (Zuckerberg).”…

The bug — and Facebook’s response to it — has become a talking point in information security circles, with many speculating that the Palestinian could have helped himself to thousands of dollars had he chosen to sell the information on the black market.

Shreateh said he was initially disappointed by the Facebook response but that after being inundated by job offers from all over the world he is pleased with how things worked out.

“I am looking for a good job to start a normal life like everybody,” he said. “I am so proud to be the Palestinian who discovered that exploit in Facebook.”


This Article Appears in :