Ma’an News Agency | Aug 20, 2013 (Developments are updated below this post)
Follow @MaanNewsAgency
While Facebook offers rewards for those who find security holes, it seems that Palestinian researcher Khalil Shreateh went too far by posting the information on Zuckerberg’s own profile page.
Shreateh said on his blog he found a way for Facebook users to circumvent security and modify a user’s timeline.
He said he took the unusual step of hacking into Zuckerberg’s profile after being ignored by the Facebook security team.
“So i did post to Mark Zuckerberg’s timeline , as those pictures shows,” he said, including screen shots of the posting.
“Dear Mark Zuckerberg,” he wrote.”First sorry for breaking your privacy and post to your wall, i had no other choice to make after all the reports i sent to Facebook team. My name is KHALIL from Palestine.”
His reward for exposing the flaw was having his Facebook account disabled.
He later got a message saying, “We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site.”
Facebook said it appreciates help with security but not by hacking into user accounts.
Facebook security engineer Matt Jones posted a comment Sunday on a security forum saying “we fixed this bug on Thursday,” and admitted that “we should have asked for additional … instructions after his initial report.”
“We get hundreds of reports every day,” Jones said. “We have paid out over $1 million to hundreds of reporters. However, many of the reports we get are nonsense or misguided.”
Jones added that “the more important issue here is with how the bug was demonstrated using the accounts of real people without their permission.”
“We welcome and will pay out for future reports from him (and anyone else!) if they’re found and demonstrated within these guidelines,” Jones said on the YCombinator hacker news forum.
Independent security researcher Graham Cluley said he had “some sympathy” with Facebook on the issue.
“Although he was frustrated by the response from Facebook’s security team, Shreateh did the wrong thing by using the flaw to post a message on Mark Zuckerberg’s wall,” Cluley said on his blog.
Note from occpal
“White hat-hackers” have made the internet safety what it is today. Without people like Khalil, reporting bugs and security holes your own safety online would never be on the level which it is today.
I regard it a very lame action of FB to deny Khalil’s access after several previous reports of the bug.
A Reminder for Zuckerberg
Or one day, if you stay a miser, you will be not this lucky to get honest reports from intelligent people and end up like the person who owns this bike. It was locked but they still got away with it’s essential parts!
Not white hat style mind you!
In the meanwhile….
Not Facebook but several supporter initiatives are reported in media in effort to reward Khalil for his work. here and here. Resulting in a fundraiser started by Marc Maiffret stating:
“Let us all send a message to security researchers across the world and say that we appreciate the efforts they make for the good of everyone.”
Noblesse oblige Mark Zuckerberg!
If Facebook pretends to have a white-hat-reward policy they should be grateful for the reporting of the security breach and live up to their policy especially since their own team of programmers did oversee and ignored these reports and only came into action after Khalil was left no other choice than to show it at the best place where it would get, and now really gets mainstream media attention!
Not one but several free wall of shame-pages for Zuckerberg!
Facebook Bounty
If you want to assist in the Facebook bounty you can donate on this page. Oh and don’t forget to read the comments Mark Zuckerberg. Comments at that page are free!
Kudos to Khalil;) Thank you for your alertness and for being one of the people that every day, improve our safety on the webz! For the people who prefer bytes over beats you’re our Arab Idol;)
I have asked Khalil to confirm the reports online to assure ourselves if the financial compensation as promised in several articles actually is or will be received or if , in the meanwhile, a real smart CEO who is not as short sighted as Zuckerberg did #HireKhalil in the meanwhile :) We’ll keep you posted!
You can follow and contact Khalil at twitter:
Follow @khalilshreateh
Related