Facebook founder wall was hacked by a well-meaning threat finder

Facebook SecurityA man from the West Bank who came across a security flaw in the Facebook privacy system used an unorthodox method of showing that it was real. But he won’t be getting his payday for the discovery.

Facebook is like many technology companies, in that it pays people to discover bugs in their system. This might be a security flaw, or some kind of coding error. They have paid out a fair amount of cash for such reports that allow them to tighten the screws and fix the cracks in their site.

Khalil Shreateh is one such reporter. He had found a major flaw that would allow people to post on the walls of users that were not on their friends list.

After reporting the bug twice, he was told it was “not a bug” by the Facebook engineer who read his report. Screencaps showing the vulnerability were given, but it did not have much technical information included.

Between that and a language barrier, it caused several misunderstandings between the development team and Khalil. Leading him to go to the more extreme solution to prove his point.

Using the profile of a woman who went to school with Zuckerburg, he posted a message to the Facebook founder that explained the situation. You can see the post at his official blog.

Obviously, this got their attention immediately. His account was temporarily disabled, though reinstated once the bug was fixed. What wasn’t worked out was payment for the bug: Facebook refuses to pay.

“We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site,” a message to Khalil read.

On one hand, I can understand why they didn’t give him the money. It would set a bad precedent if they awarded someone who didn’t follow site procedure.

But on the other, he reported the bug three times. He was rather curtly ignored, and actually the engineer team was pretty rude. They did not attempt to further communication or deal with the language barrier, and they dismissed him without asking for any further information.

To then go on to ask that he keep looking for further vulnerabilities? That is pretty unprofessional behavior, and definitely not the way to handle this situation.

All in all, I would say Facebook is on the wrong end of the stick here. They should just fork over the money and make some changes to their obviously crappy technical support policies.

Source: PC World

Leave a Comment

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.