A security researcher, frustrated at not getting a response from Facebook engineers, posted his findings about a potentially serious flaw on the social network to CEO Mark Zuckerberg’s page.
But Facebook has claimed the researcher was out of line in the way he publicised his findings.
Khalil Shreateh had discovered a vulnerability that allowed anyone to post to another’s timeline even if they weren’t friends. He originally chose to highlight the flaw by posting to a Facebook member who went to the same college as Zuckerberg.
Facebook then disabled his account, telling Shreatah they “did not fully know what was happening”. As for its previous responses to the researcher’s notifications, Facebook told him there was not enough technical information for them to take action.
“We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site,” Facebook said, according to an email pasted into Shreatah’s blog.
“When you submit reports in the future, we ask you to please include enough detail to repeat your actions.”
His Facebook account was later re-enabled. Shreatah remains unhappy with Facebook’s actions.
Facebook fixed the bug on Thursday, saying that Shreatah had breached the company’s terms of service by exploiting the flaw on a user’s account without their permission. Had he included a link to a video he had made on the exploit, it would have been caught “much more quickly”, according to Facebook engineer Matt Jones.
“Exploiting bugs to impact real users is not acceptable behavior for a white hat,” Jones wrote, noting there are test accounts available to try out exploits. “In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent.”
However, Facebook did accept some responsibility, admitting it should have asked more from Shreatah. “We should have pushed back asking for more details here,” Jones added.
What do you know about Internet security? Find out with our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…