If you’re a hacker and you find a bug in Facebook, you have the chance to submit it through the company’s white hat disclosure program and get a reward.
But what if you’ve found a bug, and Facebook ignores you?
A Palestinian hacker took the inadvisable step of posting on Facebook founder Mark Zuckerberg’s Timeline, taking advantage of the very bug he was trying to report.
Khalil Shreateh, a Palestinian developer and hacker, discovered that there was a way to bypass Facebook’s privacy settings and post on anyone’s timeline — even users who are not your friends.
He first reported the vulnerability via email to the bug bounty program. But the social network failed to recognize the vulnerability in his report, according to Shreateh’s blog post.
Before reporting the bug, Shreateh successfully tested it by posting on the wall of Sarah Goodin, Zuckerberg’s former college classmate. He included a link to this post in the email, but the Facebook security employee who received the email — identified only as Emrakul — couldn’t see the post, since he wasn’t friends with Goodin.
That’s what Shreateh tried to explain in a follow up to Emrakul, warning that he could very well post to Zuckerberg’s wall if he wanted. He added that he wouldn’t “cause I do respect people privacy,” he allegedly wrote. His second email, however, was ignored.
Shreateh then sent another official report, explaining the bug again. This time, Emrakul allegedly answered: “I am sorry this is not a bug.” To which Shreateh answered: “ok, that mean [sic] I have no choice other than report this to Mark himself on Facebook.”
And so he did.
The exploit got the attention of Ola Okelola, another Facebook security engineer. Okelola commented on the post, asking for more information on the bug. After a brief discussion, Shreateh’s Facebook account got suspended “as a precaution,” as another Facebook security engineer named Joshua explained to Shreateh by email.
“Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it,” Joshua wrote. “We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue.” He added that Facebook would “unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service.”
By posting on Zuckerberg’s wall, Shreateh also violated Facebook’s responsible disclosure policy — which prohibits people who discover bugs to take advantage of them and demonstrate the bugs on people’s accounts without their permission.
“The more important issue here is with how the bug was demonstrated using the accounts of real people without their permission,” explained Facebook’s Matt Jones on the site Hacker News. Facebook has confirmed to Mashable that Jones is indeed an employee.
“Exploiting bugs to impact real users is not acceptable behavior for a white hat. We allow researchers to create test accounts here to help facilitate responsible research and testing. In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent,” Jones added.
Facebook declined to comment further. Besides, the bug was fixed on Thursday, according to Jones.
Shreateh won’t be rewarded for his finding, because he violated the disclosure policy.