Over the weekend a Palestinian information systems specialist used an exploit to make a post on the profile of Facebook‘s creator, Mark Zuckerberg. According to CNN, Khalil Shreateh, a West Bank resident, tried to report the flaw to the Facebook team multiple times, but did not receive any real acknowledgement.
“Dear Mark Zuckerberg, First sorry for breaking your privacy and post to your wall , i has no other choice to make after all the reports i sent to Facebook team,” read the post.
Shreateh made a post on his blog outlining what he did and his limited conversations with the people at Facebook. The post includes video evidence of how the exploit worked (view above).
“Days ago i discovered a serious facebook vulnerability that allows a facebook user to post to all facebook users timeline even they are not in his friend list .
i report that exploit through whitehat –> http://www.facebook.com/whitehat
this email shows my report including facebook security replay : -“
The link at the bottom of the last correspondence went to the profile of Sarah Goodwin, a friend of Zuckerberg from his time at Harvard.
As it turns out, the Facebook development team could not view the link because they didn’t have the permissions to view the profile, most likely because they were not “friends” with the Goodwin, explained Shreateh. After that report went ignored, he decided to prove the exploit by making a post on the profile of Facebook CEO, Mark Zuckerberg.
Minutes later, a Facebook security engineer named Ola Okelola made a comment on the post, asking Shreateh for details about the hack.
Facebook quickly disabled his account as a precaution. The young white-hat hacker sent a message to the social network asking for them to enable access to his account.
Although they were nice enough to reinstate his profile, Shreateh was deemed ineligable for the Facebook white-hat program, which encourages people to provide the Facebook security team with bugs and exploits in exchange for money. The program has paid out over a million dollars to hundreds of reporters, according to Matt Jones, a member of the Facebook security team.
Jones has since confirmed that the hack has been fixed. He also admitted that the way the security team interacted with Shreateh was unsatisfactory, but when there is a language barrier it can sometimes be difficult to communicate efficiently.