A Palestinian security expert who goes by the name of Khalil Shreateh has exposed a Facebook security flaw by posting an alert on site creator Mark Zuckerberg's Facebook page to prove the legitimacy of his bug report, after the social network giant’s security team ignored his previous reports on the vulnerability.
According to Khalil Shreateh, the FB bug allowed any user to share and publish links on any other Facebook user's wall.
In Khalil’s preliminary report of the bug, he demonstrated that he was able to post on anyone’s wall by submitting a link to a post he’d made on the wall of Sarah Goodin, a college friend of Zuckerberg, and the first woman on Facebook.
Unfortunately, the member of the Facebook Security team who clicked the link wasn’t friends with Goodin, whose wall was set to be visible to friends only. As a result, they couldn’t see Khalil’s post. However Facebook Security can certainly over-ride privacy settings to see anything posted on the site, which they didn’t seem to do.
“I don’t see anything when I click the link except an error”, responded Facebook Inc’s Security team.
Khalil again submitted the bug with the same link again, explaining that anyone investigating the link would need to either be Goodin’s friend or would need to “use [their] own authority” to view the private post.
“I am sorry this is not a bug”, replied the same member of the Security team, seemingly not able to comprehend what was going on.
Khalil responded by posting a note into Zuckerberg’s timeline. “Sorry for breaking your privacy [to post] to your wall,” it read, “i [had] no other choice to make after all the reports I sent to Facebook team”.
Within a short span, Shreateh's Facebook account was deactivated and he was contacted by a Facebook security engineer requesting all the details of the exploit.
"Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it," the engineer wrote in an email. "We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue."
The least reward for a successful report is $500 and Facebook states that “there is no maximum reward: each bug is awarded a bounty based on its severity and creativity”. The company claims to have paid out more than $1 million so far. However, since Shreateh violated Facebook's terms of service by hacking the pages of other users, he is not eligible to receive a reward under the site's White Hat program designed to find and fix bugs.
In a Hacker News thread, Matt Jones, one of Facebook's engineers from security team confirmed that the bug has now been fixed, admitting that the company should have asked more details after Shreateh's initial report. He wrote “We should have pushed back asking for more details here.”