August 25, 2013
Zuck Gets Dissed
Last weekend, something peculiar happened on Facebook.
An IT expert posted his own bug report directly on Mark Zuckerberg’s wall.
It’s not supposed to be this way, you know. The appropriate way to handle a bug report is to send it to Facebook’s security team, and if they’re able to replicate the flaw, they give you $500.
Makes you wish you studied computer science and programming in college, no?
Khalil Shreateh discovered a flaw in Facebook’s security and discovered a way to post to people’s pages and walls without their permission. He tried to log this bug with the Facebook security team, but they told him quite curtly: “Sorry this is not a bug.”
Shreateh then did what any self-respecting hacker…er…security expert would do. He took it all the way to the top.
“First, sorry for breaking your privacy and post(ing) to your wall,” wrote the Palestinian on Zuck’s wall.
“I (have) no other choice to make after all the reports I sent to (the) Facebook team.”
The kids at Facebook didn’t take too kindly to this, as you may imagine, and suspended his account. They also refused to give him the $500 bucks he deserved.
This, of course, made headlines over the weekend, spurring other hackers to leap to his aid.
Marc Maiffret created a GoFundMe campaign asking those in the security research world to get Shreateh the money due him for finding a critical flaw in the Facebook system. Over the weekend they were able to raise more than the $10,000 they planned, all the up to $13,100 at the time of this publishing.
The entire scenario points to some potential issues with Facebook’s bug report system, though according to one of their software engineers, Matt Jones, the biggest issue may have been that darned language barrier. As it turns out, English isn’t Shreateh’s first language. Yet despite his multiple attempts to explain the bug to the security team, they ignored his reports.
According to Shreateh, just minutes after posting to Zuck’s Facebook wall, (without his permission, I should add) he received a comment from Ola Okelola, a software engineer, asking him to describe the bug once again.
That got their attention, eh?
Even after he demonstrated how the bug could be used to post unwanted comments on others’ walls, Facebook decided the best course of action would be to disable his account.
“Facebook disabled your account as a precaution,” reads the email Shreateh received from Facebook after he hacked into Zuck’s account.
“When we discovered your activity we did not fully know what was happening. We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site.”
In a statement, software engineer Jones (not the one who disabled Shreateh’s account) said: “Many of our best reports come from people whose English isn’t great – though this can be challenging, it’s something we work with just fine and we have paid out over $1 million to hundreds of reporters.”
Shreateh likely isn’t too upset about this incident, though. He’s recovered access to his Facebook account and he’s walking away from the fray $11,000 richer.
Again, doesn’t this make you wish you had paid attention in all those computer classes?