Snubbed by Facebook, Security Researcher Hacks Zuckerberg's Page
Facebook founder Mark Zuckerberg at the 2008 South by Southwest conference in Austin, Texas.
UPDATED Tuesday (Aug. 20) with news that security researchers were raising money for Khalil Shreateh and that Facebook was altering its bug-reporting procedures in response to this case.
Frustrated that Facebook's security team wasn't taking him seriously, a Palestinian computer researcher last week figured out a different way to get the company's attention: He hacked into Mark Zuckerberg's Facebook page.
Unfortunately, because he had to break Facebook's rules to prove his point, the researcher, Khalil Shreateh of the town of Yatta on the West Bank, won't be seeing any "bug bounty" money from the company.
"Dear Mark Zuckerberg," read Shreateh's rogue posting on the page of Facebook's founder, chairman and chief executive officer. "Sorry for breaking your privacy and post[ing] to your wall, I has no other choice to make after all the reports I sent to Facebook team."
In a blog posting after the fact, Shreateh recounted the story: He'd found a security flaw in Facebook that allowed an attacker to post on anyone's wall or timeline.
But when he emailed Facebook's security team about it on Wednesday (Aug. 14), Shreateh was rebuffed twice; the first time for having sent a bad link to his proof, the second time with a curt dismissal after he posted on the Facebook page of a woman Zuckerberg knew in college.
"I am sorry this is not a bug," wrote a member of Facebook's security team.
Sheatreh replied, "OK, that mean[s] I have no other choice than report this to Mark himself on Facebook."
And so he did.
"Couple days ago I discovered a serious Facebook exploit that allow users to post to other Facebook users timeline while they are not in friend list," Sheatreh posted to Zuckerberg on Thursday (Aug. 15), explaining his finding. "As you see, I am not in your friend list and yet I can post to your timeline."
"I appreciate your time reading this and getting some one from your company team to contact me," Sheatreh concluded.
Then Sheatreh captured a screen shot of Zuckerberg's page with his own comment on it, and posted that screen shot to his own Facebook page.
That got Facebook's attention. Almost instantly, Sheatreh got a message on his Facebook page from a different member of Facebook security. Then his Facebook account was temporarily deactivated.
"When we discovered your activity we did not fully know what was happening," another Facebook security staffer told Sheatreh. "Unfortunately, your report to our Whitehat system [which encourages bug reporting] did not have enough technical information for us to take action on it."
Although Sheatreh's Facebook account was soon reactivated, he was told he wouldn't qualify for Facebook's bug-bounty program, which rewards researchers who find security flaws with payments ranging from $500 to $5,000.
"We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service" by making an unauthorized posting to a member's page, the email message Sheatreh received said. "We do hope, however, that you continue to work with us to find vulnerabilities in the site."
To Sheatreh, who says on his blog that he's unemployed, this was unfair.
"I could sell" the exploit in underground malware bazaars, he told CNN in an interview. "I could make more money than Facebook could pay me."
Reaction online was mixed.
"Although he was frustrated by the response from Facebook's security team, Shreateh did the wrong thing by using the flaw to post a message on Mark Zuckerberg's wall," wrote British security expert Graham Cluley.
"I think there was some misunderstanding between you and [the] Facebook Security Team," Pakistani computer researcher Mohammad Talha Hassan commented in response to Sheatreh's screen grab of Zuckerberg's page. "When I reported a security issue to them, they kept me updated of all the progress and dealt with it professionally. I personally think that you should have waited a little more before publicly disclosing the issue."
But most of the comments on Sheatreh's page, as well as on news reports about the issue, amounted to congratulations or recommendations to that Facebook should hire Sheatreh.
If Sheatreh needs encouragement to do further research into Facebook security, he needn't look far: Top Facebook hacker Nir Goldshlager, who's received many Facebook bug bounties, lives right over the border in Israel.
UPDATE: Security researchers upset that Facebook won't pay Shreateh a bug bounty have begun to raise money on his behalf.
"Khalil Shreateh found a vulnerability in Facebook.com and, due to miscommunication, was not awarded a bounty for his work," wrote Marc Maiffret, chief technology officer of BeyondTrust, on a GoFundMe page Maiffret created for Shreateh. "Let us all send a message to security researchers across the world and say that we appreciate the efforts they make for the good of everyone."
Maiffret and Firas Bushnaq, who co-founded eEye Digital Security with Maiffret, each kicked in $3,000. As of this writing, 68 donations have been made, most between $5 and $20, and the fund has reached $8,800 with an ultimate goal of $10,000.
That's twice as much as the maximum Shreateh could have received from Facebook for a single working exploit.
On Monday evening, Facebook Chief Security Officer Joe Sullivan posted his analysis of the Shreatheh situation.
"He tried to report the bug responsibly, and we failed in our communication with him," Sullivan wrote. "We were too hasty and dismissive in this case. We should have explained to this researcher that his initial messages to us did not give us enough detail to allow us to replicate the problem."
"The breakdown here was not about a language barrier or a lack of interest," Sullivan continues. "It was purely because the absence of detail made it look like yet another misrouted user report."
As a result, Sullivan said, the Facebook security team would make two changes: "improve our email messaging to make sure we clearly articulate what we need to validate a bug" and "update our whitehat page with more information on the best ways to submit a bug report."
But, Sullivan reiterated, Facebook still won't pay Sheatreh for this bug.
"It is never acceptable to compromise the security or privacy of other people," Sullivan said.