A Palestinian information system expert says he was forced to post a bug report on Mark Zuckerberg’s Facebook page after the social network’s security team failed to recognize that a critical vulnerability he found allows anyone to post on someone's wall.
The vulnerability, which was reported by a man calling himself
‘Khalil,’ allows any Facebook user to post anything on the walls
of other users - even when those users are not included in their
list of friends. He reported the vulnerability through Facebook’s
security feedback page, which offered a minimum reward of US$500
for each real security bug report.
However, the social network’s security team failed to acknowledge the bug, even though Khalil enclosed a link to a post he made on the timeline of a random girl who studied at the same college as Facebook CEO Mark Zuckerberg.
“Sorry, this is not a bug,” Facebook’s security team said in response to Khalil’s second report, in which he offered to reproduce the discussed vulnerability on a test account of Facebook security expert.
After receiving the reply, Khalil claims he had no choice but to showcase the problem on Mark Zuckerberg’s wall.
Screenshots on his blog show that Khalil shared details of the exploit, as well as his disappointing experience with the security team, on the Facebook founder’s wall.
Just minutes after the post, Khalil says he received a response from a Facebook engineer requesting all the details about the vulnerability. His account was blocked while the security team rushed to close the loophole.
After receiving the third bug report, a Facebook security engineer finally admitted the vulnerability but said that Khalil won’t be paid for reporting it because his actions violated the website’s security terms of service.
Although Facebook’s White Hat security feedback program sets no reward cap for the most “severe” and “creative” bugs, it sets a number of rules that security analysts should follow in order to be eligible for a cash reward. Facebook did not specify which of the rules Khalil had broken.
Somewhere between the second and third vulnerability reports, Khalil also recorded a video of himself reproducing the bug.
In its latest reply, Facebook reinstated Khalil’s account and expressed hope that he will continue to work with Facebook to find more vulnerabilities.