A hacker from Palestine found a Facebook glitch that allowed anyone to post on a stranger’s wall, but when the company ignored his warnings he took them all the way to the top by posting about the issue on Mark Zuckerberg’s wall.
Khalil Shreateh first contacted the Facebook security team after proving the glitch was real by writing on the wall of a friend of the Facebook founder.
But instead of thanking him and fixing the issue, Facebook said it wasn’t a bug. And because of the methods Shreateh used to finally convince them of the threat, Facebook later denied him the reward usually given to programmers who report holes in the site’s security.
‘My name is Khalil Shreateh. I finished school with B.A degree in Information Systems . I would like to report a bug in your main site (www.facebook.com) which i discovered it…The bug allow facebook users to share links to other facebook users , I tested it on Sarah.Goodin wall and I got success post.’
Shreateh, whose first language is Arabic, lives in Palestine and is in no way connected with Zuckerberg’s fellow Harvard alum Goodin. He hoped his ability to post to her page, nonetheless, would help prove his case to Facebook security.
However, instead of repairing the obvious security breach, Facebook replied to Shreateh by saying the issue ‘was not a bug.’
Undeterred, Shreateh used the glitch to hack his way onto Mark Zuckerberg’s Facebook page.
‘Sorry for breaking your privacy,’ he wrote in a since removed post to Zuckerberg, ‘I had no other choice…after all the reports I sent to Facebook team.’
Shreateh went on to recount his attempts to warn the website and posted a grab of the post on his blog.
Minutes later, his pleas were answered. Facebook contacted him demanding to know how he’d hacked their bosses personal page.
‘We fixed this bug on Thursday,’ wrote Matt Jones from Facebook’s security team in a Saturday post on Hacker News.
Facebook has a bounty program designed to bribe hackers into reporting glitches they find rather than exploiting them. Such validated reports are worth $500.
But in his post, Jones explains that Shreateh will not be getting his money.
‘In order to qualify for a payout you must “make a good faith effort to avoid privacy violations” and “use a test account instead of a real account when investigating bugs,”’ Jones writes.
By posting to Zuckerberg and Goodin’s accounts, says Jones, Shreateh violated the terms of service and will not be rewarded for his find.
Nonetheless, Facebook welcomes Shreateh to inform them of any additional glitches he finds for them in the future.
‘[We] will pay out for future reports from him,’ writes Jones, ‘if they’re found and demonstrated within these guidelines.