MANILA, Philippines – Khalil Shreateh, a security researcher, found a bug on social network Facebook that allowed hackers to post on anyone’s wall even if they weren’t a friend of the targeted person. However, the way in which he proved it to Facebook’s security team may deprive him of a bounty for spotting and reporting the issue.
To prove to Facebook’s security team that there was a legitimate issue or bug in play despite Facebook initially responding that there was no issue, he demonstrated it by posting a message on Facebook founder Mark Zuckerberg’s wall.
As his blogpost recounts, Khalil says the security team initially ignored his reply, then reportedly said that this wasn’t a bug after submitting a link where he was able to post to the wall of Sarah Goodin, the first woman to be on Facebook.
Techcrunch adds that the Facebook Security Team member who checked the link wasn’t friends with Goodin, and was unable to see Khalil’s post despite security team members potentially being able to override privacy settings to check for issues, which they didn’t seem to do in this case.
Khalil decided to go a bit further to present his case by posting on Zuckerberg’s wall, apologizing for doing so in his message. Facebook engineers sprang to action, reaching out to him to ask for information on the issue.
One caveat to this story is that while most critical bugs reported responsibly do get a bounty of at least $500, with more severe bugs fetching higher prices, Khalil did not receive a bug bounty due to how he went about trying to report the bug.
Instead of using test accounts to investigate the issue, he used other Facebook users’ accounts. Facebook also said there wasn’t enough detail to reproduce the bug.
While disheartening, it’s fair warning to those who mean well to go through the proper channels and not to hack the founder of Facebook to prove a point. – Rappler.com