Facebook wouldn't reward this white hat, but his fellow hackers will
Fellow hackers, led by security expert Marc Maiffret, are attempting to raise $10,000 in order to compensate Khalil Shreateh, who was denied a bounty by Facebook even after exposing a significant programing bug. So far Maiffret has succeeded in raising $8,785, more than 17 times the payout Shreateh would have received if he'd received a bounty from Facebook in the first place.
"Khalil Shreateh found a vulnerability in Facebook.com and, due to miscommunication, was not awarded a bounty for his work," Maiffret writes on the fundraising page. "Let us all send a message to security researchers across the world and say that we appreciate the efforts they make for the good of everyone."
The bug Shreateh uncovered would have allowed anyone to post messages to another user's account, even without being friends. It's the kind of loophole that could be easily exploited by spammers and scam artists. Rather than selling the information in the blackhat market, Shreateh offered up to Facebook, hoping to collect a reward through the social network's bounty program. The bounty program typically pays out $500 for this sort of bug, though the company has paid as much as $20,000 or offered full-time jobs to researchers who've uncovered more substantive security flaws.
Shreateh made his discovery known by posting an Enrique Inglesias video to a Facebook page belonging to one of Zuckerberg's college friends as proof-of-concept, then sent a note to the site's security team. The team initially gave Shreateh the brush-off, saying the loophole was not a bug. This prompted Shreateh to go straight to the source, using the bug to post a message to Zuckerberg's page.
Facebook has since said the initial brush-off was the result of a miscommunication with Shreateh, a non-native English speaker, but has since continued to deny him any sort of bounty, saying he violated Facebook terms of service by posting to another user's account.
But Maiffret, a former teen hacker, believes Shreateh is still entitled to some sort of reward for the bug he uncovered. Putting forth $3,000 of his own money to kickstart the effort, the chief technology officer of BeyondTrust has implored others to help give Shreateh his just dues. Speaking to Wired, Maiffret likened the West Bank hacker to a young version of himself.
"Ultimately, he was well-intentioned and hopefully he stays on the same track of doing research,” Maiffret said. “I come from the vulnerability research space and any way to give back and give somebody else a chance to get going … If somebody can make this a career and somehow branch out, that’s awesome to me."
Although Shreateh violated Facebook rules by posting to other user's pages, Maiffret said the researcher was still acting in good faith to expose a problem that Facebook was ultimately able to fix before scammers got a hold of it. He said it's important for these kind of actions to be rewarded in order to keep folks like Shreateh from going over to the darkside and selling their information to blackhat hackers who would use the info for nefarious purposes.
Even Shreateh, who has been unemployed for two years, said he agreed to take less money going the white hat route.
"I could sell (information about the flaw) on the black (hat) hackers' websites and I could make more money than Facebook could pay me," he said in an interview with CNN. "But for me -- I am a good guy. I don't deal with the black (hat) stuff."
Photo via CNN