Palestinian security researcher Khalil Shreateh tried to warn Facebook – he really did. He did everything that he could think of to alert Facebook’s security and engineering folks to the fact that he had discovered a security flaw that allowed anyone to post to anybody else’s timeline, whether they were connected as friends or not. But they didn’t take him seriously (in fact they told him that it was not a security bug). So after all else failed, he posted a note on Mark Zuckerberg’s wall. And that did the trick.
“First, sorry for breaking your privacy and post to your wall,” began Shreateh’s message to Zuckerberg on Zuckerberg’s wall. Note that the import of this is that Shreateh and Zuckerberg are not ‘friends’ on Facebook, and yet Shreateh was able to publicly post this on Zuckerberg’s timeline. The security hole that allowed Shreateh to do this is exactly the security flaw that he’d been trying to bring to the attention of Facebook before taking this extreme measure.
Shreateh went on to explain in his message on Zuck’s wall, “I has no other choice to make after all the reports I sent to Facebook team.”
Being from Palestine, Shreateh is to be all the more commended for attempting, multiple times, in multiple ways, to bring this security hole to the attention of Facebook, all in a language with which he is not intimately familiar.
Such a security flaw – allowing anyone to post on anybody’s wall – would of course create a field day for spammers and scammers.
But Facebook resisted and pooh-poohed all of his efforts to get them to take this flaw seriously.
His first effort was to post a video on the Facebook wall of a woman who was a friend of Zuckerberg’s, and then to send the link to that post to Facebook’s security team with an explanation of the security hole.
They responded saying that the link was no good.
Shreateh then suggested that maybe they couldn’t see it because they weren’t friends with the woman, and he sent them a screen capture of his video post to the woman’s Facebook timeline.
That was when the Facebook security team responded that the flaw he had discovered was not a bug. In fact their exact words were “I am sorry this is not a bug.”
Shreateh then responded “ok that mean I have no choice other than report this to mark himself on facebook.”
And that is exactly what he did.
As news of this got out, Matt Jones, a Facebook Security team member stated that “Unfortunately, all he submitted was a link to the post he’d already made (on a real account whose consent he did not have).”
Seems to us that should have been more than enough for the security team to look into Shreateh’s claims, rather than to blow them off.
Jones went on to say “For background, as a few other commenters have pointed out, we get hundreds of reports every day. Many of our best reports come from people whose English isn’t great – though this can be challenging, it’s something we work with just fine and we have paid out over $1 million to hundreds of reporters.”
The monies to which Jones refers is rewards paid to people who find and submit bugs under Facebook’s White Hat program. Shreateh was deemed not eligible to receive a reward because he had hacked someone’s Facebook account.
However, Facebook says that they have fixed the security hole.
|Get notified of new Internet Patrol articles! |
You might also like some of our other articles: