A Palestinian security researcher gained unauthorized access, last week, to Mark Zuckerberg’s Facebook (NASDAQ:FB) page to prove the legitimacy of his bug report, after the social network giant’s security team ignored his previous reports on the vulnerability.
On Facebook, users are not permitted to share or post anything on the profile pages of people that are not on one’s friends list. But, the security expert, who goes by the name of Khalil Shreateh, discovered a bug that allowed an intruder to post on anyone’s Facebook “Wall,” even without being that person’s “Friend” on the social networking site.
In an initial bug report to Facebook, Shreateh tried to demonstrate the vulnerability by sharing a link on the wall of Sarah Goodin, who is a college friend of the Facebook founder. A member of the Facebook’s online security team, who was not on Goodin’s friends list, clicked on Shreateh’s link but could not view his post as Goodin’s wall was set to be visible to her friends only.
Shreateh sent another bug report, explaining that anyone inspecting the vulnerability on Goodin’s wall needed to be her friend, or would have to use administrative access to view the post. However, the Facebook security official responded to Shreateh saying what he had pointed out was not a bug.
However, Shreateh, convinced of the bug he had discovered and to prove the legitimacy of his discovery, decided to take it to the next level by posting on Zuckerberg’s own profile page.
On Thursday, a note from Shreateh was visible on Zuckerberg’s timeline, saying: “Sorry for breaking your privacy to your wall,” it read, “i no other choice to make after all the reports I sent to Facebook team.”
As Shreateh expected, this generated a reaction from Facebook, leading the company to fix the flaw.
According to Facebook’s whitehat exploit disclosure program, Shreateh could qualify for a reward of at least $500 as the discoverer of a bug on the site. But, Shreateh might be disqualified from receiving the bug bounty, Facebook said.
According to Facebook’s bug disclosure policy, a security researcher should use test accounts, rather than real accounts of Facebook users, to work on the site’s vulnerabilities and bug reports. Shreateh, according to the company, violated this rule by accessing Goodin’s and Zuckerberg’s profiles.
“We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site,” TechCrunch quoted Facebook as saying.
Facebook said also that Shreateh’s bug report did not have enough technical information to convince its in-house security experts. In addition, the company receives hundreds of bug reports on a daily basis, it added, making it difficult for the company’s security team to separate the genuine reports from the fake ones.
However, Matt Jones, one of Facebook’s engineers on the security team, admitted in an online forum, Hacker News, that the social network did not follow up with Shreateh properly. “We should have pushed back asking for more details here,” he wrote.