A Palestinian researcher posted a message on Facebook CEO Mark Zuckerberg’s page last week after he says the site’s security team didn’t take his warnings about a security flaw seriously.
“First, sorry for breaking your privacy and post(ing) to your wall,” wrote Khalil Shreateh. “I (have) no other choice to make after all the reports I sent to (the) Facebook team.”
Shreateh, who describes himself as an unemployed security researcher with a degree in information systems, said he found a hole in Facebook’s systems that let him post to any user’s page, including users not on his Friends list.
Such an exploit would be a virtual gold mine for spammers, scam artists and others seeking to take advantage of the site’s roughly 1 billion users worldwide.
On his blog, Shreateh posted a series of e-mails he said were exchanged between him and Facebook security. After the first one, a Facebook employee responded that the link he attached was bad.
Shreateh had included a post — an Enrique Iglesias video — he says he posted on the page of a woman who went to college with Zuckerberg. He speculated that Facebook’s security team couldn’t see it because they weren’t on her Friends list.
Facebook responded to his second message to say the issue he was reporting was not a bug.
His response: “ok that mean(s) I have no choice other than report this to mark himself on facebook.”
Needless to say, that got their attention.
Facebook says the flaw was fixed on Thursday. But over the weekend the episode began making headlines on tech blogs.
On the Hacker News website, Facebook security team member Matt Jones wrote that the language barrier with Shreateh, who is not a native English speaker, and the volume of reports the site receives were partly to blame for the site’s slow response.
“Unfortunately, all he submitted was a link to the post he’d already made (on a real account whose consent he did not have) … saying that ‘the bug allow facebook users to share links to other facebook users,’ ” Jones wrote.
“For background, as a few other commenters have pointed out, we get hundreds of reports every day. Many of our best reports come from people whose English isn’t great — though this can be challenging, it’s something we work with just fine and we have paid out over $1 million to hundreds of reporters.”
Because he violated Facebook’s terms of service by hacking the pages of other users, Shreateh is not eligible to receive a reward under the site’s White Hat program designed to find and fix bugs.
Shreateh, who says he has been looking for work for two years, lives in the Palestinian city of Yatta, where the unemployment rate is officially 30% and believed to actually be higher.
“I could sell (information about the flaw) on the black (hat) hackers’ websites and I could make more money than Facebook could pay me,” he said in an interview with CNN. “But for me — I am a good guy. I don’t deal with the black (hat) stuff.”
In hacker circles, “white hat” is a term for people who report exploits they find so they can be fixed, while “black hat” often refers to people who hack to take advantage of those exploits.
He acknowledged hoping his tip would lead to a reward from Facebook.
“I never asked them, ‘I want $4,000 or $5,000’,” he said. “I didn’t deal with them like that … . (But) I really needed that money.”
Jones acknowledged that the security team should have asked Shreateh for more information.
“I have to admit that I have some sympathy with Facebook on this issue,” security analyst Graham Cluley wrote on his blog. “Although he was frustrated by the response from Facebook’s security team, Shreateh did the wrong thing by using the flaw to post a message on Mark Zuckerberg’s wall.”
He would have been better served returning to Facebook’s security team with more evidence and further explaining it or, if that didn’t work, taking the information to a technology journalist to report, Cluley said.