Facebook CEO Mark Zuckerberg is typically portrayed as being the smartest guy in the room. So it was pretty ironic when a web developer hacked Zuckerberg’s Facebook page to draw attention to a security flaw that he pointed out to the company previously. Khalil Shreateh, an IT expert from Palestine, pointed out the flaw to Facebook team. Yet they ignored the problem, that is, until Khalil used the vulnerability in the system to post on Zuckerberg’s wall. According to techcrunch.com:
“Earlier this week, security researcher Khalil Shreateh discovered a Facebook bug that allowed a hacker to post on anyone’s wall — even if they weren’t that person’s friend.
“While he was able to prove to Facebook that his bug was legit (despite an initial response that it wasn’t a bug at all), Facebook wasn’t too happy with the way he did it: by using the bug to post on Zuckerberg’s otherwise friends-only wall.”
Khalil Shreateh tried to point out the problem to Facebook’s security team initially by posting on one of Zuckerberg’s friend’s account, but after Facebook engineers took a look at what Khalil posted, they determined “this is not a bug.” As reported by theverge.com:
“Shreateh says he tested the vulnerability on Sarah Goodin — a friend of Facebook CEO Mark Zuckerberg, and the first woman to sign up to the service — before reporting it through Facebook’s whitehat disclosure service for security researchers. The whitehat service rewards researchers with at least $500 for successful bugs. In a copy of an email sent to Facebook, Shreateh explains the details and notes that the security team might not be able to see his test post as Goodin restricts posts to only her friends. Despite attaching a screenshot of the post, a Facebook security engineer, identified only as Emrakul, replied saying “I am sorry this is not a bug,” without asking for additional information.
“Unperturbed by the response, Shreateh decided to notify Mark Zuckerberg himself by posting to his timeline. Minutes later, Facebook security engineer Ola Okelola contacted Shreateh requesting details on the exploit.”
Now that the issue has been fixed, there’s still some controversy over whether Khalil Shreateh should be paid for the bug he discovered. Facebook has a program called ‘white hat’ that pays hackers a minimum of $500 for vulnerabilities they find in the platform. But in order to be considered a ‘white hat,’ the programmer cannot draw attention to the issue by exploiting real Facebook pages—which is what Khalil did. In a statement a Facebook engineer said:
“exploiting bugs to impact real users is not acceptable behavior for a white hat. In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent.”
Doesn’t look like Mr. Shreateh is going to get the reward, at least not publicly. Nonetheless, he can gloat that he outsmarted the ‘smartest guys in the room.’
