Facebook, Twitter, Instagram — these are all great ways for us to stay in touch with our friends around the world. And with so much of our personal information on these sites, these companies do whatever is necessary to protect their users’ profiles from hackers.
Facebook in particular prides itself on having a relatively bug and hacker-free environment. To protect your privacy, they have a bounty program that rewards users who report bugs to Facebook’s security team.
When one researcher found a bug that let him post onto Mark Zuckerberg’s wall, he expected some kind of reward. His prize? A suspended account and no financial reward. Naturally, the Facebook and “white hat” hacker community are up in arms over this and Facebook has been dealt a dose of bad PR over this matter. Let’s take a look at what happened and see how you can protect your Facebook account.
A Date with Zuckerberg’s Wall
Within minutes of posting to Zuckerberg’s wall, Shreateh was contacted by Facebook’s security team
Only friends are supposed to be able to post onto your Facebook Wall. If it were any different, spammers and Internet trolls would have a field day harassing users.
A researcher named Khalil Shreateh found a bug that let him post onto anyone’s wall. He contacted Facebook twice about the issue and was ignored twice.
To prove that the bug was real, he posted on Sarah Goodin’s wall, a close friend of Mark Zuckerberg. Then, he explained the bug in a blog post and contacted Facebook’s security team.
Facebook didn’t do anything about it. Yahoo Finance explains:
“In this case, instead of fixing the bug and paying the researcher the $500+ fee, Facebook told him ‘this was not a bug,’ according to an email that Shreateh shared.”
So he took it a step further and posted on Mark Zuckerberg’s wall. “Sorry for breaking your privacy,” Shreateh wrote to the Facebook founder. Within minutes, the post was deleted and he was contacted by Facebook’s security team.
Things didn’t quite work out as Shreateh planned. Instead of a reward for bringing the bug to everyone’s attention, his account was suspended — but he was still asked to help Facebook find more bugs and security glitches.
Facebook Strikes Back
Facebook will give your profile the ban-hammer if you don’t follow its Terms and Conditions
Facebook suspended Shreateh’s account for violating the terms of service. Because he didn’t supply enough information in his first two bug reports, the bugs were ignored. When Shreateh posted on multiple users walls without their consent, Facebook struck back with a ban.
Here’s a bit of their full comment on what happened. From Hacker News:
The important issue here is with how the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behavior for a white hat.”
Facebook claims that researchers can create test accounts to test bugs and Shreateh’s method didn’t fall in line with their bounty program guidelines, hence a suspended account and no reward.
Needless to say, the online communities are pretty upset over this. Facebook ignored a serious bug. It took a post to the CEO’s wall to get noticed. To top it off, they refuse to pay the bounty and instead suspended the user’s account.
In the meantime, check your Facebook privacy settings to protect your profile.
What Do You Think?
Should Shreateh be rewarded for reporting the bug? Has you Facebook wall ever been hacked? Let us know in the comments section!
Leave a Reply