A computer expert from Palestine posted on Mark Zuckerberg's Facebook wall to demonstrate the potential damage of a bug he had found, after claiming to be ignored by the social network's security team.

Facebook
The screenshot shows Khalil Shreateh's post on Mark Zuckerberg's Facebook wall, which was made possible by the bug he found.

Khalil Shreateh explained in a blog post how he had found a flaw where any user could post links on the Facebook wall of anyone else, regardless of their friendship status or security settings.

Shreateh, whose profile picture is that of NSA whistleblower Edward Snowden, then claims to have reported the issue through Facebook's Whitehat initiative, which rewards those who find such flaws with upwards of $500 (£320).

After being told via email that his find was "not a bug", Shreateh then posted a message on Facebook CEO Mark Zuckerberg's wall, explaining what the bug was, along with a link to his email conversation with the site's security staff.

Minutes later, Facebook security engineer Ola Okelola got in touch to find out more, and soon after that Shreateh's Facebook account was disabled as a precaution.

Violating

Facebook claims his original Whitehat submission did not contain enough technical information to be acted upon, telling Shreateh: "We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service."

Further explanation was provided on the Hacker News forum by a poster called MKJones, who claims to work in Facebook's security team. The poster said the bug has now been fixed and admits "we should have asked for additional reproduction instructions after his initial report.

"Unfortunately, all he submitted was a link to the post he'd already made (on a real account whose consent he did not have - violating our ToS and responsible disclosure policy)"

Additionally, the poster said that Facebook receives "hundreds of reports every day" and that many of the best come from people whose first language is not English, an issue the engineer describes as "challenging".

Nonsense

The poster said that, of the hundreds of daily bug reports, many "are nonsense or misguided, and even those provide some modicum of reproduction instructions. We should have pushed back asking for more details here."

The biggest issue with this incident, MKJones added, was Shreateh's demonstration of the bug on a real account - that of Sarah Goodin, Facebook's first female user - without permission. "Exploiting bugs to impact real users is not acceptable behaviour for a white hat. Do not interact with other accounts without the consent of their owners."

Security expert Graham Cluely commenting on the incident said: "I have to admit that I have some sympathy with Facebook. Although he was frustrated by the response from Facebook's security team, Shreateh did the wrong thing by using the flaw to post a message on Mark Zuckerberg's wall."

In June this year a British man was awarded $20,000 (£13,000) by Facebook for reporting a problem with the site's text message verification system, whereby he fooled it into sending him a code for an account that wasn't his.

Mark Zuckerberg Facebook