Mark Zuckerberg’s timeline on Facebook is hacked to expose a bug
Facebook Inc. fixed a programming error last week that allowed users to post on any other user’s timeline regardless of privacy settings, a flaw that a hacker was able to exploit to post on Mark Zuckerberg’s profile even though the two weren’t friends.
Coding errors are common in the tech world, but this one’s been getting attention because of the lengths the hacker went to get Facebook to acknowledge that the flaw existed.
Khalil Shreateh said on his blog that he reported the problem to Facebook through its bug bounty program, which allows hackers to collect a monetary reward for discovering and properly reporting flaws. More specifically, he wrote “the bug allow Facebook users to share links to other Facebook users.” The message included a link to the page of a user, whose wall Shreateh had posted on to demonstrate the bug.
A Facebook security team member responded, saying, “I dont see anything when I click link except an error.” But Shreateh re-sent the same message. That’s when he escalated and wrote on Zuckerberg.
At that point, Facebook temporarily blocked Shreateh from Facebook, figured out the issue and then denied him a reward because Facebook said he had violated the bounty program’s terms of service. Hackers are welcome to abuse test accounts, but they aren’t allowed to use bugs to mess with the accounts of real users such as the Facebook chief executive.
In his blog, Shreateh posted a video recording of his screen that offered more details about the bug.
“Had he included the video initially, we would have caught this much more quickly,” Facebook site integrity team member Matt Jones wrote on Hacker News. Facebook confirmed Jones wrote the post.
“We get hundreds of reports every day,” Jones wrote. “Many of our best reports come from people whose English isn’t great -- though this can be challenging, it’s something we work with just fine and we have paid out over $1 million to hundreds of reporters. However, many of the reports we get are nonsense or misguided, and even those provide some modicum of reproduction instructions. We should have pushed back asking for more details here.”
Shreateh’s lack of good-faith effort to avoid affecting the accounts of real users meant he didn’t qualify for a reward. He could have also sought consent from real users to use their accounts to demonstrate the problem. Facebook gives at least $500 for valid reports.
“We welcome and will pay out for future reports from him (and anyone else!) if they’re found and demonstrated within these guidelines,” Jones wrote.
Shreateh has received tremendous support online. He’s even received job offers and other solicitations to find bugs, according to his Facebook.