A Palestinian programmer has highlighted a flaw in Facebook’s security system by posting a message on Mark Zuckerberg’s private page. Khalil Shreateh used a vulnerability he discovered to hack the account of the Facebook founder and raise the alarm. Mr Shreateh said he had tried to use Facebook’s White Hat scheme, which offers a monetary reward for reporting vulnerabilities, but had been ignored.
Facebook said it had fixed the fault but not would be paying Mr Shreateh. Mr Shreateh found a security breach that allowed Facebook users to post messages on the private “walls” of people who had not approved them as “friends”, overriding the site’s privacy features. He wrote to Facebook’s White Hat team to warn them of the glitch, providing basic details of his discovery.
After a short exchange with the team, Mr Shreateh received an email saying: “I am sorry this is not a bug”. Following this rebuttal, Mr Shreateh exploited the bug to post a message on Mr Zuckerberg’s page.
In the post, Mr Shreateh, whose first language is Arabic, said he was “sorry for breaking your privacy and post to your wall” but that he had “no other choice” after being ignored by Facebook’s security team.
An engineer on Facebook’s security team, Matt Jones, posted a public explanation saying that although Mr Shreateh’s original email should have been followed up, the way he had reported the bug had violated the site’s “responsible disclosure policy”. He added that as Mr Shreateh had highlighted the bug “using the accounts of real people without their permission”, he would not qualify for a payout.