A hacker was having trouble getting Facebook to take his bug report seriously—until he used the vulnerability he had found to post a message to CEO Mark Zuckerberg’s private timeline.
Last week, Khalil Shreateh warned Facebook he had found a bug that let him post messages on any user’s timeline, regardless of privacy settings. He had tested his trick out on the Facebook account of Sarah Goodin, a Harvard classmate of Mark Zuckerberg’s and the first woman to join Facebook, and he attached a screenshot as proof.
No response from Facebook. He sent the message again.
“I am sorry this is not a bug,” a rep finally wrote back.
But Shreateh was determined to show Facebook what he had found, and collect one of the monetary awards the company gives to “white hat” hackers who report serious vulnerabilities—so he posted his report on Zuckerberg’s wall.
Within minutes, he had a reply from a Facebook engineer asking for more information.
But, to Shreateh’s dismay, the reward was not forthcoming. Instead, Facebook shut down his account for violating the site’s terms of service.
He eventually convinced Facebook to restore his account, but he couldn’t talk the company into a White Hat payout, although Facebook engineers acknowledge he discovered the bug.
“Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it. We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue. When you submit reports in the future, we ask you to please include enough detail to repeat your actions.
“We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site,” wrote the Facebook employee who restored Shreateh’s account.
The lesson here? It pays to fully document a vulnerability before you send in your report. It doesn’t pay to mess with Mark Zuckerberg’s privacy.
Photo via Mark Zuckerberg/Facebook