Researcher Hits Zuckerberg’s Wall To Report Facebook Bug

A security researcher, frustrated at not getting a response from Facebook engineers, posted his findings about a potentially serious flaw on the social network to CEO Mark Zuckerberg’s page.

But Facebook has claimed the researcher was out of line in the way he publicised his findings.

Khalil Shreateh had discovered a vulnerability that allowed anyone to post to another’s timeline even if they weren’t friends. He originally chose to highlight the flaw by posting to a Facebook member who went to the same college as Zuckerberg.

After sending numerous emails to the social networking giant, and having been told it was not a bug, Shreateh posted on Zuckerberg’s wall. He then received a response asking for details on the flaw.

Facebook: Actions were not acceptable

Facebook then disabled his account, telling Shreatah they “did not fully know what was happening”. As for its previous responses to the researcher’s notifications, Facebook told him there was not enough technical information for them to take action.

“We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site,” Facebook said, according to an email pasted into Shreatah’s blog.

“When you submit reports in the future, we ask you to please include enough detail to repeat your actions.”

His Facebook account was later re-enabled. Shreatah remains unhappy with Facebook’s actions.

Facebook fixed the bug on Thursday, saying that Shreatah had breached the company’s terms of service by exploiting the flaw on a user’s account without their permission. Had he included a link to a video he had made on the exploit, it would have been caught “much more quickly”, according to Facebook engineer Matt Jones.

“Exploiting bugs to impact real users is not acceptable behavior for a white hat,” Jones wrote, noting there are test accounts available to try out exploits. “In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent.”

However, Facebook did accept some responsibility, admitting it should have asked more from Shreatah. “We should have pushed back asking for more details here,” Jones added.

What do you know about Internet security? Find out with our quiz!