Security flaw in Facebook: Zuckerberg’s profile page hacked

Zuckerberg Facebook page

Zuckerberg Facebook page

A Palestinian security expert who goes by the name of Khalil Shreateh has exposed a Facebook security flaw by posting an alert on site creator Mark Zuckerberg’s Facebook page to prove the legitimacy of his bug report, after the social network giant’s security team ignored his previous reports on the vulnerability.

According to Khalil Shreateh, the FB bug allowed any user to share and publish links on any other Facebook user’s wall.

In Khalil’s preliminary report of the bug, he demonstrated that he was able to post on anyone’s wall by submitting a link to a post he’d made on the wall of Sarah Goodin, a college friend of Zuckerberg, and the first woman on Facebook.

Unfortunately, the member of the Facebook Security team who clicked the link wasn’t friends with Goodin, whose wall was set to be visible to friends only. As a result, they couldn’t see Khalil’s post. However Facebook Security can certainly over-ride privacy settings to see anything posted on the site, which they didn’t seem to do.

“I don’t see anything when I click the link except an error”, responded Facebook Inc’s Security team.

Khalil again submitted the bug with the same link again, explaining that anyone investigating the link would need to either be Goodin’s friend or would need to “use [their] own authority” to view the private post.

“I am sorry this is not a bug”, replied the same member of the Security team, seemingly not able to comprehend what was going on.

Khalil responded by posting a note into Zuckerberg’s timeline. “Sorry for breaking your privacy [to post] to your wall,” it read, “i [had] no other choice to make after all the reports I sent to Facebook team”.

Within a short span, Shreateh’s  Facebook account was deactivated and he was contacted by a Facebook security engineer requesting all the details of the exploit.

“Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it,” the engineer wrote in an email. “We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue.”

The least reward for a successful report is $500 and Facebook states that “there is no maximum reward: each bug is awarded a bounty based on its severity and creativity”. The company claims to have paid out more than $1 million so far. However, since Shreateh violated Facebook’s terms of service by hacking the pages of other users, he is not eligible to receive a reward under the site’s White Hat program designed to find and fix bugs.

In a Hacker News thread, Matt Jones, one of Facebook’s engineers from security team confirmed that the bug has now been fixed, admitting that the company should have asked more details after Shreateh’s initial report. He wrote “We should have pushed back asking for more details here.”

Carrie Ann
Carrie Ann is Editor-in-Chief at Industry Leaders Magazine, based in Las Vegas. Carrie covers technology, trends, marketing, brands, productivity, and leadership. When she isn’t writing she prefers reading. She loves reading books and articles on business, economics, corporate law, luxury products, artificial intelligence, and latest technology. She’s keen on political discussions and shares an undying passion for gadgets. Follow Carrie Ann on Twitter, Facebook

Recent Posts

Japan’s MUFG offloads Union Bank to U.S. Bancorp for $7.3 billion

Japan’s MUFG offloads Union Bank to U.S. Bancorp for $7.3 billion

The total amount of cash to be received as part of MUFG Union Bank’s sale to Bancorp is $7.3 billion (800 billion yen).
10 hours ago
Evergrande: A black swan event that could spook markets

Evergrande: A black swan event that could spook markets

EverGrande is now known as the “world’s most indebted property developer” and serves as a symbol of corporate excess.
1 day ago
Moderna vaccine more effective than Pfizer, study says

Moderna vaccine more effective than Pfizer, study says

Moderna’s Covid-19 vaccine does a slightly better job of preventing coronavirus-related hospitalizations and emergency department visits.
3 days ago
iPhone 13 and iPhone 13 Pro: Specifications, Release Date, Features and much more

iPhone 13 and iPhone 13 Pro: Specifications, Release Date, Features and much more

Apple iPhone 13 Pro and iPhone 13 Pro Max can be a hit with its ever new technology A15 Bionic chip and other cool profound features.
5 days ago
Total signs $27 billion energy deal to fund 1-gigawatt solar power plant

Total signs $27 billion energy deal to fund 1-gigawatt solar power plant

The French oil major, Total, has signed a $27 billion deal to fund a 1-gigawatt solar power plant, and boost oil and gas production in the Middle-East region.
5 days ago
PMI seals $1.51 billion takeover of British inhalation specialist Vectura

PMI seals $1.51 billion takeover of British inhalation specialist Vectura

Philip Morris International (PMI) acquires a 22.6% stake in British inhalation specialist Vecutra closing in on the controversial $1.51 billion takeover.
5 days ago