Researcher Hacks Mark Zuckerberg’s Facebook Page

Palestinian IT researcher Khalil Shreateh recently uncovered a Facebook vulnerability that allows anyone to post to any Facebook user’s timeline (h/t Graham Cluley).

Shreateh tested the bug on Sarah Goodin, a friend of Facebook CEO Mark Zuckerberg, then reported the bug via Facebook’s vulnerability reporting page. He got an initial reply stating, “I dont see anything when I click link except an error.” Then, when he followed up, he was informed,” I am sorry this is not a bug.”

He then posted a statement on Mark Zuckerberg’s timeline stating, “Dear Mark Zuckerberg, First sorry for breaking your privacy and post to your wall , i has no other choice to make after all the reports i sent to Facebook team .”

That got Facebook’s attention, but not in the best way — Facebook disabled Shreateh’s account. They later reactivated his account, but informed him that he wasn’t eligible for a bug bounty because he had violated the site’s Terms of Service.

And those terms are very clear — on the bug bounty page, Facebook states, “Please use a test account instead of a real account when investigating bugs. … Do not interact with other accounts without the consent of their owners.”

Later, Facebook Chief Security Officer Joe Sullivan stated, “We will make two changes as a result of this case: (1) We will improve our email messaging to make sure we clearly articulate what we need to validate a bug, and (2) we will update our whitehat page with more information on the best ways to submit a bug report. We will not change our practice of refusing to pay rewards to researchers who have tested vulnerabilities against real users.”

Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles