Security researcher hacks Zuckerberg's wall to expose Facebook flaw
The unemployed man had previously contacted Facebook's Whitehat team, but his attempts to report the bug were rebuffed.
Tue, Aug 20, 2013 at 10:28 AM
Frustrated that Facebook's security team wasn't taking him seriously, a Palestinian computer researcher last week figured out a different way to get the company's attention: He hacked into Mark Zuckerberg's Facebook page.
Unfortunately, because he had to break Facebook's rules to prove his point, the researcher, Khalil Shreateh of the town of Yatta on the West Bank, won't be seeing any "bug bounty" money from the company.
"Dear Mark Zuckerberg," read Shreateh's rogue posting on the page of Facebook's founder, chairman and chief executive officer. "Sorry for breaking your privacy and post[ing] to your wall, I has no other choice to make after all the reports I sent to Facebook team." [That's an Order! 10 Facebook Privacy Tips from the Marines]
In a blog posting after the fact, Shreateh recounted the story: He'd found a security flaw in Facebook that allowed an attacker to post on anyone's wall or timeline.
But when he emailed Facebook's security team about it on Wednesday, Aug. 14, Shreateh was rebuffed twice; the first time for having sent a bad link to his proof, the second time with a curt dismissal after he posted on the Facebook page of a woman Zuckerberg knew in college.
"I am sorry this is not a bug," wrote a member of Facebook's security team.
Sheatreh replied, "OK, that mean[s] I have no other choice than report this to Mark himself on Facebook."
And so he did.
"Couple days ago I discovered a serious Facebook exploit that allow users to post to other Facebook users timeline while they are not in friend list," Sheatreh posted to Zuckerberg on Thursday, Aug. 15, explaining his finding. "As you see, I am not in your friend list and yet I can post to your timeline."
"I appreciate your time reading this and getting some one from your company team to contact me," Sheatreh concluded.
Then Sheatreh captured a screen shot of Zuckerberg's page with his own comment on it, and posted that screen shot to his own Facebook page.
That got Facebook's attention. Almost instantly, Sheatreh got a message on his Facebook page from a different member of Facebook security. Then his Facebook account was temporarily deactivated.
"When we discovered your activity we did not fully know what was happening," another Facebook security staffer told Sheatreh. "Unfortunately, your report to our Whitehat system [which encourages bug reporting] did not have enough technical information for us to take action on it." [7 Ways to Lock Down Your Online Privacy]
Although Sheatreh's Facebook account was soon reactivated, he was told he wouldn't qualify for Facebook's bug-bounty program, which rewards researchers who find security flaws with payments ranging from $500 to $5,000.
"We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service" by making an unauthorized posting to a member's page, the email message Sheatreh received said. "We do hope, however, that you continue to work with us to find vulnerabilities in the site."
To Sheatreh, who says on his blog that he's unemployed, this was unfair.
"I could sell" the exploit in underground malware bazaars, he told CNN in an interview. "I could make more money than Facebook could pay me."
Reaction online was mixed.
"Although he was frustrated by the response from Facebook's security team, Shreateh did the wrong thing by using the flaw to post a message on Mark Zuckerberg's wall," wrote British security expert Graham Cluley.
"I think there was some misunderstanding between you and [the] Facebook Security Team," Pakistani computer researcher Mohammad Talha Hassan commented in response to Sheatreh's screen grab of Zuckerberg's page. "When I reported a security issue to them, they kept me updated of all the progress and dealt with it professionally. I personally think that you should have waited a little more before publicly disclosing the issue."
But most of the comments on Sheatreh's page, as well as on news reports about the issue, amounted to congratulations or recommendations to that Facebook should hire Sheatreh.
If Sheatreh needs encouragement to do further research into Facebook security, he needn't look far: Top Facebook hacker Nir Goldshlager, who's received many Facebook bug bounties, lives right over the border in Israel.
Related TechNewsDaily and MNN: