Keep up with the news by installing RT’s extension for . Never miss a story with this clean and simple app that delivers the latest headlines to you.

 

Hacker posts Facebook bug report on Zuckerberg’s wall

Published time: August 17, 2013 22:28
Edited time: August 18, 2013 13:41
Image from khalil-sh.blogspot.ru

Image from khalil-sh.blogspot.ru

A Palestinian information system expert says he was forced to post a bug report on Mark Zuckerberg’s Facebook page after the social network’s security team failed to recognize that a critical vulnerability he found allows anyone to post on someone's wall.

The vulnerability, which was reported by a man calling himself ‘Khalil,’ allows any Facebook user to post anything on the walls of other users - even when those users are not included in their list of friends. He reported the vulnerability through Facebook’s security feedback page, which offered a minimum reward of US$500 for each real security bug report.

However, the social network’s security team failed to acknowledge the bug, even though Khalil enclosed a link to a post he made on the timeline of a random girl who studied at the same college as Facebook CEO Mark Zuckerberg.

“Sorry, this is not a bug,” Facebook’s security team said in response to Khalil’s second report, in which he offered to reproduce the discussed vulnerability on a test account of Facebook security expert.

Image from khalil-sh.blogspot.ru

After receiving the reply, Khalil claims he had no choice but to showcase the problem on Mark Zuckerberg’s wall.

Screenshots on his blog show that Khalil shared details of the exploit, as well as his disappointing experience with the security team, on the Facebook founder’s wall.

Image from khalil-sh.blogspot.ru

Just minutes after the post, Khalil says he received a response from a Facebook engineer requesting all the details about the vulnerability. His account was blocked while the security team rushed to close the loophole.

After receiving the third bug report, a Facebook security engineer finally admitted the vulnerability but said that Khalil won’t be paid for reporting it because his actions violated the website’s security terms of service.

Although Facebook’s White Hat security feedback program sets no reward cap for the most “severe” and “creative” bugs, it sets a number of rules that security analysts should follow in order to be eligible for a cash reward. Facebook did not specify which of the rules Khalil had broken.

Somewhere between the second and third vulnerability reports, Khalil also recorded a video of himself reproducing the bug. 

In its latest reply, Facebook reinstated Khalil’s account and expressed hope that he will continue to work with Facebook to find more vulnerabilities.

Comments (117)

 

nicolas gasztowtt 19.10.2013 15:22

Hello

<a href="h-faceboo k.org">Go Here Please</a>



 

Nathan Senn 17.09.2013 15:28

Marks just a greedy as ever cant do what he says he will whats $500 im really starting to hate facebook wish we would have never used it. He sells all our info to the NSA and wont even pay this guy the $500 that they owe him. Thats messed up!

 

Mustafa Alami 22.08.2013 06:10

I can't believe that FB technical team didn't take this matter seriously, it destroys participants faith in FB, they should pay 5000$ not only 500$ to this ethical hacker who helped reveling a security hole to them.
I strongly address FB technical to acknowledged and respond to Khalil.

View all comments (117)
Add comment

Authorization required for adding comments

Register or

Name

Password

Show password

Register

or Register

Request a new password

Send

or Register

To complete a registration check
your Email:

OK

or Register

A password has been sent to your email address

Edit profile

X

Name

New password

Retype new password

Current password

Save

Cancel

Follow us