Researcher Hits Zuckerberg’s Wall To Report Facebook Bug

A security researcher, frustrated at not getting a response from Facebook engineers, posted his findings about a potentially serious flaw on the social network to CEO Mark Zuckerberg’s page.

But Facebook has claimed the researcher was out of line in the way he publicised his findings.

Khalil Shreateh had discovered a vulnerability that allowed anyone to post to another’s timeline even if they weren’t friends. He originally chose to highlight the flaw by posting to a Facebook member who went to the same college as Zuckerberg.

After sending numerous emails to the social networking giant, and having been told it was not a bug, Shreateh posted on Zuckerberg’s wall. He then received a response asking for details on the flaw.

Facebook: Actions were not acceptable

Facebook then disabled his account, telling Shreatah they “did not fully know what was happening”. As for its previous responses to the researcher’s notifications, Facebook told him there was not enough technical information for them to take action.

“We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site,” Facebook said, according to an email pasted into Shreatah’s blog.

“When you submit reports in the future, we ask you to please include enough detail to repeat your actions.”

His Facebook account was later re-enabled. Shreatah remains unhappy with Facebook’s actions.

Facebook fixed the bug on Thursday, saying that Shreatah had breached the company’s terms of service by exploiting the flaw on a user’s account without their permission. Had he included a link to a video he had made on the exploit, it would have been caught “much more quickly”, according to Facebook engineer Matt Jones.

“Exploiting bugs to impact real users is not acceptable behavior for a white hat,” Jones wrote, noting there are test accounts available to try out exploits. “In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent.”

However, Facebook did accept some responsibility, admitting it should have asked more from Shreatah. “We should have pushed back asking for more details here,” Jones added.

What do you know about Internet security? Find out with our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

4 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

4 days ago