Security Researcher Proves Facebook Bug by Hacking Zuckerberg’s Wall
Security researcher Khalil Shreateh discovered a Facebook bug that allowed a hacker to post on anyone’s wall, even if the target had privacy settings enabled that should have kept the wall accessible only to friends.
It was Shreateh’s method of demonstrating the vulnerability that raised some eyebrows: Shreateh exploited the bug to post news of the bug on Facebook founder and CEO Mark Zuckerberg’s private wall.
In Shreateh’s defense, he first tried more conventional ways. He demonstrated the bug by posting on the friends-only wall of Sarah Goodin, a college friend of Zuckerberg’s. Shreateh submitted a link to his hack to the Facebook Security team.
However, the administrator who responded said instead of the post, the link showed only an error. Shreateh submitted the bug with the same link again, replying that to see it, the user would have to be friends with Goodin or use administrative permissions to access her page. Still, the same Security team member responded, “I am sorry this is not a bug.”
So Shreateh decided to step it up a notch to get his efforts noticed: Instead of posting to the wall of one of Zuckerberg’s friends, he would try to get the attention of the big man himself. Shreateh posted to his timeline, “Dear Mark Zuckerberg, First sorry for breaking your privacy and post to your wall, i has no other choice to make after all the reports I sent to Facebook team.”
Sure enough, that did the trick. Minutes later a different Facebook Security engineer replied to Shreateh asking for details about his exploits.
Facebook does have a white hat vulnerability disclosure policy that will reward researchers who responsibly report security flaws—the minimum is $500, and the reward increases based on the bug’s severity and creativity, with no maximum amount. However, Shreateh won’t be seeing a payout. His antics violated Facebook’s eligibility guidelines by posting to Goodin’s and Zuckerberg’s walls; only test accounts are allowed to be used when investigating bugs. Shreateh also was informed that he didn’t supply enough technical information for the Security team to investigate or reproduce his actions.
Naturally, this has sparked debate about whether Facebook should shell out a bounty anyway. After all, Shreateh was trying to make Facebook aware of the bug instead of posting it publicly or selling it to the highest bidder. Even Facebook Security engineer Matt Jones got into the discussion on Hacker News:
For background, as a few other commenters have pointed out, we get hundreds of reports every day. Many of our best reports come from people whose English isn't great - though this can be challenging, it's something we work with just fine and we have paid out over $1 million to hundreds of reporters. However, many of the reports we get are nonsense or misguided, and even those … provide some modicum of reproduction instructions. We should have pushed back asking for more details here.
However, the more important issue here is with how the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behavior for a white hat.
Do you think Facebook should reward Shreateh for exposing the bug anyway? Or are they right in enforcing the rules?
