White hat hacker uses Facebook bug to post on Zuckerberg's timeline

By on August 19, 2013, 3:08 AM
facebook, zuckerberg, hacking, security, white hat, bug bounty

Facebook offers a pretty attractive bug bounty program that rewards white hatters for identifying and reporting vulnerabilities in their service. In search of a $500+ reward, Palestine’s Khalil Shreateh discovered a method to circumvent the website’s privacy settings, allowing him to post on anyone’s timeline without consent.

Under normal circumstances, Shreateh would have been compensated for his findings, but his formal report to the company was ignored. After a couple follow up emails without an acceptable acknowledgement, the hacker decided to take matters into his own hands, using the bug to post a message directly to Mark Zuckerberg’s timeline.

According to Mashable, Shreateh originally tested out the exploit on a former college classmate of Zuckerberg’s, Sarah Goodin. His practice run proved to be successful and he later linked this post in his email to a Facebook security employee known only by the name Emrakul. Unfortunately, Emrakul isn’t friends with Goodin and thus couldn’t see the vulnerability. After sending a second and third email to clarify the exploit and describe how it operates, Emrakul responded by saying, “I am sorry this is not a bug”.

It was at this point that Shreateh’s patience started to wane, and he made the following post to Zuckerberg’s wall: “Sorry for breaking your privacy and post to your wall ... but a couple of days ago, I found a serious Facebook exploit”.

So Shreateh finally captured the attention of Facebook and was rewarded for his efforts? Although Facebook quickly jumped into action and did patch the bug on Thursday, Shreateh's actions were met with disapproval rather than praise.

By posting on Zuckerberg’s wall and acting on his exploit, Shreateh violated Facebook’s responsible disclosure policy, which prohibits hackers from using newly discovered bugs on the accounts of others without permission . As a result of these actions, his Facebook account was temporarily suspended “as a precaution”, and needless to say, he won’t be provided with any monetary compensation for his finding.

Facebook's Matt Jones reiterated this fact to Hacker News, saying “Exploiting bugs to impact real users is not acceptable behaviour for a white hat.. In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent.”




User Comments: 20

Got something to say? Post a comment
3 people like this | wastedkill said:

I read all this and how else was he going to get the point across to the stupid researchers at facebook? He did the right thing they all said it wasn't a bug so he proved it and he only did it on marks facebook page so how did he exploit it?

He is in the right the researchers are in the wrong its their fault he had to go to the length he did to show them it is a bug that he is not just trying to make a quick buck.

He deserves the cash its purely idiotic to deny him that if I owned facebook I wouldn't have denied him the cash as the researchers said it wasn't a bug so how else could he prove it? simple he had to prove it to them by showing them hence why he deserves it.

Number one rule in life if you say a bug isn't a bug them when the guy proves it you don't deny him the cash as he did the right thing its just you have low IQ employee's so you show your gratitude to him by giving him whats rightfully his or would you rather have the bug exploited without you knowing?

Halfmad said:

Done without permission, in what way is he a white hat then? Surely he's a Gray-hat for exploiting it, even without malicious intent.

He's a gray hat as he's exploited it and in doing so ensure it was made public.

2 people like this | Tiberath Tiberath said:

Done without permission, in what way is he a white hat then? Surely he's a Gray-hat for exploiting it, even without malicious intent.

He's a gray hat as he's exploited it and in doing so ensure it was made public.

The Facebook security team said "This is not a bug". You cannot exploit and make public something which the guys in charge of preventing just that scenario say isn't an exploit. They screwed up, not him.

It's like arresting someone after telling them what they're about to do isn't illegal.

Skidmarksdeluxe Skidmarksdeluxe said:

Now that's a kick in the teeth if I ever saw one. If I was this Kahlil person I'd try hack Zuckerberg's bank account and take what's rightfully mine plus a bit more for effort and leave a trail pointing to the NSA :-P **sigh** It's nice to dream.

TheBigFatClown said:

Mark Zergerburger has net assets worth 26 billion dollars and he offers a $500.00 reward for finding serious bugs? LOL. Can you spare it Mr. Zergerburger? That is hilarious. I'll bet Mr. Zergerburger laughs inside everytime he pays somebody $500.00 for finding serious bugs. That is what I call rape in the first degree.

I'd kick mark right in the nuts if he tried to hand me a check for $500.00. What a slap in the face.

cliffordcooley cliffordcooley, TechSpot Paladin, said:

I'll bet Mr. Zergerburger laughs inside everytime he pays somebody $500.00 for finding serious bugs.
Can you imagine what he does every time he uses a BS excuse, not to pay for legitimate claims?

Guest said:

If FB said "it's not a bug" why the punishment, although no reason to pay either.. It's hard to compute solution to this :D

tipstir tipstir, TS Ambassador, said:

Bad code on FB part should have been debugged.. Timeline is not secured as we all were told. FB like so many protection areas are not protected.

2 people like this | Adhmuz Adhmuz, TechSpot Paladin, said:

Facebook is run by Assholes, big surprise there, Mark Zuckerberg is the biggest of them all and this is just another reason to not have a FB account. If I was in Khalil Shreateh's shoes I'd do anything and everything in my power to make the jobs of the people running FB's security a living hell for the next foreseeable while. He got scammed, the way a lot of people do and he has all the right to be upset. Also $500 is such a joke, at least Google offers 10 times that for exploits and even more if its a serious issue.

RenGood08 RenGood08 said:

Wow...seriously Facebook? That is just....ugh. Makes me want to close my account even more.

3 people like this | Lurker101 said:

Wow...seriously Facebook? That is just....ugh. Makes me want to close my account even more.

Instead of talking, why not just do it? Or are you one of those people who threaten to close their facebork profile every time there's a little bit of drama?

RenGood08 RenGood08 said:

No. I have family members I can get ahold of easily and they atleast have facebook. So I keep it JUST for them. =P

RenGood08 RenGood08 said:

I could be more dramatic about it. I THINK about it. Doesn't mean I WILL do it. =P

Logic Overflow said:

Wow...seriously Facebook? That is just....ugh. Makes me want to close my account even more.

Instead of talking, why not just do it? Or are you one of those people who threaten to close their facebork profile every time there's a little bit of drama?

It seems you're the type of person who just likes to stir the pot. *Corrected.

1 person liked this | Lurker101 said:

I'm the sort of person who's more than a little sick of people constantly "threatening" to leave facebork. They'll happily sit there, draw a line in the sand and declare loud and clear "if facebook crosses this line, I'm done". Then facebook inevitably crosses the line and instead of leaving, they'll take a step back and draw a new line in the sand until eventually, they're out of the sand and into tropical tundra.

1 person liked this | Cycloid Torus Cycloid Torus said:

Always thought FB full of holes, now certain. Never joined, probably never will.

Adhmuz Adhmuz, TechSpot Paladin, said:

It seems you're the type of person who just likes to stir the pot. *Corrected.

And what are you doing? If not contradicting yourself.

NTAPRO NTAPRO said:

"I has no choice"

TheDreams TheDreams said:

I bet the Facebook security team caught hell for this :P

tipstir tipstir, TS Ambassador, said:

We all have family and close friends on FB. But lately I've been moving things off my timeline after this news.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.