Sign in with
Sign up | Sign in

Snubbed by Facebook, Security Researcher Hacks Zuckerberg's Page

By - Source: Tom's Guide US | B 13 comments

Facebook founder Mark Zuckerberg at the 2008 South by Southwest conference in Austin, Texas.Facebook founder Mark Zuckerberg at the 2008 South by Southwest conference in Austin, Texas.

UPDATED Tuesday (Aug. 20) with news that security researchers were raising money for Khalil Shreateh and that Facebook was altering its bug-reporting procedures in response to this case.

Frustrated that Facebook's security team wasn't taking him seriously, a Palestinian computer researcher last week figured out a different way to get the company's attention: He hacked into Mark Zuckerberg's Facebook page.

Unfortunately, because he had to break Facebook's rules to prove his point, the researcher, Khalil Shreateh of the town of Yatta on the West Bank, won't be seeing any "bug bounty" money from the company.

"Dear Mark Zuckerberg," read Shreateh's rogue posting on the page of Facebook's founder, chairman and chief executive officer. "Sorry for breaking your privacy and post[ing] to your wall, I has no other choice to make after all the reports I sent to Facebook team."

MORE: That's an Order! 10 Facebook Privacy Tips from the Marines

In a blog posting after the fact, Shreateh recounted the story: He'd found a security flaw in Facebook that allowed an attacker to post on anyone's wall or timeline.

But when he emailed Facebook's security team about it on Wednesday (Aug. 14), Shreateh was rebuffed twice; the first time for having sent a bad link to his proof, the second time with a curt dismissal after he posted on the Facebook page of a woman Zuckerberg knew in college.

"I am sorry this is not a bug," wrote a member of Facebook's security team.

Sheatreh replied, "OK, that mean[s] I have no other choice than report this to Mark himself on Facebook."

And so he did.

"Couple days ago I discovered a serious Facebook exploit that allow users to post to other Facebook users timeline while they are not in friend list," Sheatreh posted to Zuckerberg on Thursday (Aug. 15), explaining his finding. "As you see, I am not in your friend list and yet I can post to your timeline."

"I appreciate your time reading this and getting some one from your company team to contact me," Sheatreh concluded.

Then Sheatreh captured a screen shot of Zuckerberg's page with his own comment on it, and posted that screen shot to his own Facebook page.

That got Facebook's attention. Almost instantly, Sheatreh got a message on his Facebook page from a different member of Facebook security. Then his Facebook account was temporarily deactivated.

"When we discovered your activity we did not fully know what was happening," another Facebook security staffer told Sheatreh. "Unfortunately, your report to our Whitehat system [which encourages bug reporting] did not have enough technical information for us to take action on it."

MORE: 7 Ways to Lock Down Your Online Privacy

Although Sheatreh's Facebook account was soon reactivated, he was told he wouldn't qualify for Facebook's bug-bounty program, which rewards researchers who find security flaws with payments ranging from $500 to $5,000.

"We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service" by making an unauthorized posting to a member's page, the email message Sheatreh received said. "We do hope, however, that you continue to work with us to find vulnerabilities in the site."

To Sheatreh, who says on his blog that he's unemployed, this was unfair.

"I could sell" the exploit in underground malware bazaars, he told CNN in an interview. "I could make more money than Facebook could pay me."

Reaction online was mixed.

"Although he was frustrated by the response from Facebook's security team, Shreateh did the wrong thing by using the flaw to post a message on Mark Zuckerberg's wall," wrote British security expert Graham Cluley.

"I think there was some misunderstanding between you and [the] Facebook Security Team," Pakistani computer researcher Mohammad Talha Hassan commented in response to Sheatreh's screen grab of Zuckerberg's page. "When I reported a security issue to them, they kept me updated of all the progress and dealt with it professionally. I personally think that you should have waited a little more before publicly disclosing the issue."

But most of the comments on Sheatreh's page, as well as on news reports about the issue, amounted to congratulations or recommendations to that Facebook should hire Sheatreh.

If Sheatreh needs encouragement to do further research into Facebook security, he needn't look far: Top Facebook hacker Nir Goldshlager, who's received many Facebook bug bounties, lives right over the border in Israel.

UPDATE: Security researchers upset that Facebook won't pay Shreateh a bug bounty have begun to raise money on his behalf.

"Khalil Shreateh found a vulnerability in Facebook.com and, due to miscommunication, was not awarded a bounty for his work," wrote Marc Maiffret, chief technology officer of BeyondTrust, on a GoFundMe page Maiffret created for Shreateh. "Let us all send a message to security researchers across the world and say that we appreciate the efforts they make for the good of everyone."

Maiffret and Firas Bushnaq, who co-founded eEye Digital Security with Maiffret, each kicked in $3,000. As of this writing, 68 donations have been made, most between $5 and $20, and the fund has reached $8,800 with an ultimate goal of $10,000.

That's twice as much as the maximum Shreateh could have received from Facebook for a single working exploit.

On Monday evening, Facebook Chief Security Officer Joe Sullivan posted his analysis of the Shreatheh situation.

"He tried to report the bug responsibly, and we failed in our communication with him," Sullivan wrote. "We were too hasty and dismissive in this case. We should have explained to this researcher that his initial messages to us did not give us enough detail to allow us to replicate the problem."

"The breakdown here was not about a language barrier or a lack of interest," Sullivan continues. "It was purely because the absence of detail made it look like yet another misrouted user report."

As a result, Sullivan said, the Facebook security team would make two changes: "improve our email messaging to make sure we clearly articulate what we need to validate a bug" and "update our whitehat page with more information on the best ways to submit a bug report."

But, Sullivan reiterated, Facebook still won't pay Sheatreh for this bug.

"It is never acceptable to compromise the security or privacy of other people," Sullivan said.

Follow us @tomsguide, on Facebook and on Google+.

How to Keep Your Smartphone or Tablet Secure

13 Security and Privacy Tips for the Truly Paranoid

10 Best Social Networking Websites

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 1 Hide
    nevilence , August 19, 2013 2:19 PM
    Maybe their team will listen a little more closely next time, chumps
  • 0 Hide
    dalethepcman , August 19, 2013 2:33 PM
    "Top Facebook hacker Nir Goldshlager, who's received many Facebook bug bounties, lives right over the border in Israel."

    Uhh... yeah because Palestinians and Israelite's are historically known for getting along great...

    That was sarcasm by the way.

    On topic, This guy really should have given facebook more than 2 days to deal with this.
  • 2 Hide
    koga73 , August 19, 2013 2:52 PM
    Facebook's API is riddled with bugs and ever changing. This really isn't too surprising.
  • Display all 13 comments.
  • 5 Hide
    bin1127 , August 19, 2013 4:54 PM
    I think he handled it pretty well. He didn't hack zuckerberg's page and delete everything replacing his profile pic with fail.gif. He posted a very straightforward message stating the exact nature of the exploit.

    They shouldn't snuff the only guy that actually cares about facebook's security. Either pay him or deduct $5000 from the guy who ignored his warning.
  • 0 Hide
    mman74 , August 19, 2013 5:52 PM
    No. Pay him and it's open season on reporting exploits. They are quite right. I think from his English the fact that he couldn't even link his own proof, I am not going to vilify the guy that turned down his email.
    Still all credit to him for finding such an exploit. I don't think however the vulnerability extended to allowing him to delete all of Mr. Zuckerbergs posts.
  • 4 Hide
    axefire0 , August 19, 2013 6:20 PM
    Facebook should investigate why his bug report was ignored or dismissed. There may have been racial discrimanation, the bug reporter being a Palestinian.
  • 4 Hide
    rwinches , August 19, 2013 6:26 PM
    All lot of comprehension errors here.
    The security guy blew it when he clicked on the link without using his authority to view the page. If you click on the page without being a friend as he clearly stated, it would not work Duh.
    He did not delete anything on Zuck's page.
    @mman74 Did you bother to read the article? FB pays for bug reports.

    FB sec is about as good as Geek Squad.
    Pay the man, he needs the money, he chose to do the right thing.
  • 0 Hide
    digiex , August 19, 2013 10:12 PM
    Toms security team is also pretty sure busy deleting those spammer accounts.
  • 0 Hide
    Darkk , August 19, 2013 11:19 PM
    Facebook totally secure?? Muahahahaaa... Sorry. Simple rule. Don't air your dirty laundry on there.
  • 0 Hide
    razor512 , August 20, 2013 12:43 AM
    That is complete disrespect. He should release the exploit before they can patch it. Or sell the next few exploits.

    If I ran a company that had a security policy of paying people to report exploits and a worker did this to someone attempting to report a security issue. I would fire them on the spot, and depending on how pissed off I was, I would sue them for trying to destroy the company.
  • 0 Hide
    razor512 , August 20, 2013 1:01 AM
    That is complete disrespect. He should release the exploit before they can patch it. Or sell the next few exploits.

    If I ran a company that had a security policy of paying people to report exploits and a worker did this to someone attempting to report a security issue. I would fire them on the spot, and depending on how pissed off I was, I would sue them for trying to destroy the company.
  • 0 Hide
    ddpruitt , August 20, 2013 8:21 AM
    For those who REFUSE to read anything other than the mangled version of this story on Tom's he DID report the bug to Facebook several times and was ignored. It was only after being IGNORED several times that he hacked Zuckerberg's page (good riddance). The "We didn't understand you" excuse only came out AFTER Facebook refused to pay the bounty on the bug and there was a backlash.

    This whole other security researcher is just in there to throw gas on the fire and has absolutely NOTHING to do with what actually happened.
  • 0 Hide
    Pherule , August 20, 2013 10:44 AM
    Since quotes don't work with this retarded new comment system, I'll manually quote:

    "This guy really should have given facebook more than 2 days to deal with this."
    No, he should not have. How long does it take to fix a reproducible bug like this? 2 weeks? FB would need to fire their security coders if it took that long. The ridiculous length of time for bug fixing is the same reason Microsoft's products are so well known for being insecure.
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter