A security flaw allowed a programmer write a post on Facebook CEO Mark Zuckerberg's personal timeline, even though they were not friends.
Palestinian programmer Khalil Shreateh discovered a security flaw in Facebook's code that would allow anyone to view and write a post on another person's timeline, bypassing their privacy settings. However, the hack has limits. Shreateh told CBSNews.com that he was not able to view photos or additional information about the person whose profile he breached.
Shreateh wrote in a blog post that he was able to write a post on the Facebook page of a woman named Sarah Goodin, who according to TechCrunch, is a college friend of Zuckerberg's. Shreateh says he tried to report his findings to Facebook's white hat program, which hands out rewards to people who find and submit bugs to Facebook. The rewards for finding a bug start at $500 and have no maximum dollar amount.
After his second correspondence with the team, Shreateh says they did not take his claims seriously, so he decided to get their attention by writing a post on Zuckerberg's wall.
"[A]s you an see iam not in your friend list and yet i can post to your timeline,"[sic] the message on Zuckerberg's wall said.
Shreateh says that he later received this message from the Facebook team:
We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue. When you submit reports in the future, we ask you to please include enough detail to repeat your actions.
We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service.
Facebook says that Shreateh did not follow their guidelines for submitting a bug through their white hat program. Because Shreateh did not use a test account, he remains unpaid for his submission.
"Unfortunately, all he submitted was a link to the post he'd already made (on a real account whose consent he did not have -- violating our ToS and responsible disclosure policy)," Matt Jones, software engineer at Facebook wrote on Hacker News.
Facebook encourages security researchers to create a test account to test a hack. The company's terms of service say rewards will only be handed out to those who "make a good faith effort to avoid privacy violations."
"Exploiting bugs to impact real users is not acceptable behavior for a white hat," Jones wrote. "In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent."
Jones says the security loophole was fixed last Thursday. He added that while the Facebook team should have been more diligent in investigating the claims, Shreateh was not clear about what he found and how he did it.
Jones says Facebook would welcome future submissions from Shreateh and give him a reward -- if he follows the guidelines. A spokesperson for Facebook did not comment further on the incident.