Sarah Goddard Staff Writer
If you’re a hacker, firstly, that’s a bad thing and you should stop doing that. Secondly, if you can hack Facebook, not only do they want to know about it via their White Hat Disclosure Program, but they will also offer you a reward for bringing the sites vulnerabilities to their attention. That is of course, unless they ignore you.
Such is the case of Palestinian, Khalil Shreateh.
Shreateh figured out that by entering in some website URL’s, grabbing one’s Facebook ID and doing some other non-obvious copy and pasting, that he could post something on a non-friends Facebook timeline.
Before reporting the bug, Shreateh successfully tested the flaw in the website, by posting on the wall of Sarah Goodin, one of Mark Zuckerberg’s former college classmates. He included a link to his post in an email to the White Hat reporting page. A short time thereafter Shreateh received a reply from a Facebook Security Employee, identified only as Emrakul, who stated that he couldn’t see the post Khalil had linked him to, as he wasn’t friends with Goodin.
Khalil tried to explain to Emrakul that if he so chose to, he could post directly onto Facebook founder Mark Zuckerberg’s wall, but that he wouldn’t “cause I do respect people privacy” However, his second email was ignored.
Trying a third time, Shreateh sent another official report to White Hat, explaining the websites glitch again, only to receive the reply “I am sorry this is not a bug,” to which he replied “ok, that mean [sic] I have no choice other than report this to Mark himself on Facebook.”
And that’s exactly what he did.
This exploit gained the attention of another Facebook Security engineer, Ola Okelola, who commented on the post, asking for Khalil to provide further information about the bug.
After a short discussion between the two, Shreateh’s Facebook account was then suspended “as a precaution” as a third Security officer named Joshua explained via email.
As a result of his actions in writing on the wall of Zuckerberg, Shreateh apparently violated Facebook’s ‘Responsible Disclosure Policy’ which prohibits people who find bugs within the website, to take advantage of them and demonstrate the bugs on people’s accounts without their permission.
If you’re interested in the entire exchange by Khalil and the Facebook security team, he has posted everything in its entirety on his blog.
Shreateh also posted a YouTube video, detailing how he was able to do exactly what he did. But, don’t get too excited and try this for yourselves, Facebook reports that the bug has been fixed and the website is now less vulnerable.
Khalil Shreateh has since apologised for his actions on posting to Zuckerberg’s wall but sadly will not be getting any part of the White Hat reward money, as he violated the disclosure policy.