SAN FRANCISCO (AFP) — A researcher who hacked into Facebook chief Mark Zuckerberg’s profile to expose a security flaw won’t get the customary reward payment from the social network.
While Facebook offers rewards for those who find security holes, it seems that Palestinian researcher Khalil Shreateh went too far by posting the information on Zuckerberg’s own profile page.
Shreateh said on his blog he found a way for Facebook users to circumvent security and modify a user’s timeline.
He said he took the unusual step of hacking into Zuckerberg’s profile after being ignored by the Facebook security team.
“So i did post to Mark Zuckerberg’s timeline , as those pictures shows,” he said, including screen shots of the posting.
“Dear Mark Zuckerberg,” he wrote.”First sorry for breaking your privacy and post to your wall, i had no other choice to make after all the reports i sent to Facebook team. My name is KHALIL from Palestine.”
His reward for exposing the flaw was having his Facebook account disabled.
He later got a message saying, “We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site.”
Facebook said it appreciates help with security but not by hacking into user accounts.
Facebook security engineer Matt Jones posted a comment Sunday on a security forum saying “we fixed this bug on Thursday,” and admitted that “we should have asked for additional … instructions after his initial report.”
“We get hundreds of reports every day,” Jones said. “We have paid out over $1 million to hundreds of reporters. However, many of the reports we get are nonsense or misguided.”
Jones added that “the more important issue here is with how the bug was demonstrated using the accounts of real people without their permission.”
“We welcome and will pay out for future reports from him (and anyone else!) if they’re found and demonstrated within these guidelines,” Jones said on the YCombinator hacker news forum.
Independent security researcher Graham Cluley said he had “some sympathy” with Facebook on the issue.
“Although he was frustrated by the response from Facebook’s security team, Shreateh did the wrong thing by using the flaw to post a message on Mark Zuckerberg’s wall,” Cluley said on his blog.
Note from occpal
“White hat-hackers” have made the internet safety what it is today. Without people like Khalil, reporting bugs and security holes your own safety online would never be on the level which it is today.
I regard it a very lame action of FB to deny Khalil’s access after several previous reports of the bug.
A Reminder for Zuckerberg
“One can not break into your home if you leave the key on the door!” Did you build a faulty one and call a professional for a ‘repair’ of the lock to secure the lock, you’d pay him as well for improving your safety and your own data.
Or one day, if you stay a miser, you will be not this lucky to get honest reports from intelligent people and end up like the person who owns this bike. It was locked but they still got away with it’s essential parts!
Not white hat style mind you!
In the meanwhile….
“Let us all send a message to security researchers across the world and say that we appreciate the efforts they make for the good of everyone.”
Noblesse oblige Mark Zuckerberg!
If Facebook pretends to have a white-hat-reward policy they should be grateful for the reporting of the security breach and live up to their policy especially since their own team of programmers did oversee and ignored these reports and only came into action after Khalil was left no other choice than to show it at the best place where it would get, and now really gets mainstream media attention!
Not one but several free wall of shame-pages for Zuckerberg!
Shame on you Zuckerberg. You ignored a talent and acted like a schmuck in stead of praising G-d on your knees for people like Khalil and even violated your own terms of rewards. Shows about what Facebook is about when it comes to paying the locksmith! Thank the same Allaah/G-d/God this story got the attention it deserved the other way around and no data of users was abused on public walls but Zuckerberg’s own greed and selective reward policy created own pages and nailed him on his own worldwide wall of shame and it did not cost him a single shekel!! Way to go Facebook!!! You can’t suspend what “bugs” people!!!
If you want to assist in the Facebook bounty you can donate on this page. Oh and don’t forget to read the comments Mark Zuckerberg. Comments at that page are free!
Kudos to Khalil;) Thank you for your alertness and for being one of the people that every day, improve our safety on the webz! For the people who prefer bytes over beats you’re our Arab Idol;)
I have asked Khalil to confirm the reports online to assure ourselves if the financial compensation as promised in several articles actually is or will be received or if , in the meanwhile, a real smart CEO who is not as short sighted as Zuckerberg did #HireKhalil in the meanwhile :) We’ll keep you posted!
You can follow and contact Khalil at twitter: