The world’s biggest social network has a long standing policy of giving people who find and report security vulnerabilities in their network with a $500 bounty. There is a process set up where “white hat” hackers and other users can turn in their findings. Once the security team investigates and finds the breach, Facebook gives the reporter $500. That’s not going to be the case for Palestinian “security specialist” Khalil Shreateh.
The Daily Mail reports that Shreateh discovered a vulnerability in Facbeook that allowed anyone to post a message on the Facebook wall of any other user regardless of that user’s privacy settings. While it’s not as bad as hacking someone’s account and posting as that person, it could leave more high profile Facebook users, and even regular Facbeook users feeling vulnerable. Unlike LinkedIn, Google+, and Twitter, many people turn to Facebook for family communications and other networking with people they actually know.
When Shreateh discovered this breach, he reported it. Unfortunately either the Facbeook security team didn’t feel it was a worthy breach, or they just felt like ignoring it. Facebook eventually told him it wasn’t a bug.
So, Shreateh found a friend of Mark Zuckerberg’s, fellow Harvard alum Sarah Goodin. Goodin and Shreateh have no connection whatsoever, yet Shreateh was able to post on her wall.
When this still wasn’t good enough Shreateh used the same trick and posted on Zuckerberg’s wall.
‘Sorry for breaking your privacy,’ he wrote in a post to Zuckerberg. ‘I had no other choice…after all the reports I sent to Facebook team.’
That post was immediately removed, and Facebook security experts patched up the vulnerability that Shreateh had originally reported, hoping to earn the $500.
In a Hacker News post, Facebook Security Team member Matt Jones posted that the bug had been fixed. He also explained why Shreateh wouldn’t receive the bounty.
‘In order to qualify for a payout you must “make a good faith effort to avoid privacy violations” and “use a test account instead of a real account when investigating bugs,”’ Jones wrote.
Facebook said that Shreateh violated the privacy of both Goodin and Zuckerberg. Jones was quick to point out that Shreateh could receive the bounty for reporting future bugs.