Khalil Shreateh, a Palestinian developer, discovered a loop hole in Facebook’s privacy settings that allows users to post on anyone’s timeline irrespective of the fact whether or not he or she is added in one’s friends list.
Hacker did warn Facebook before
According to Shreateh’s blog post, he initially reported the bug via email to Facebook Inc (NASDAQ:FB)’s white hat disclosure program, but the company failed to recognize the vulnerability. So to prove his point, Shreateh took a twisted way and reported the vulnerability on Zuckerberg’s Timeline, taking advantage of the same bug he discovered.
Before posting on Zuckerberg’s time line, Shreateh successfully tested the vulnerability by posting on Sarah Goodin’s wall, a former college classmate of Zuckerberg. A link of the same was included in the email sent to the Facebook, but the security employee who handles such cases was unable to see the post as Goodin was not in his friend list.
Shreateh again sent a warning email saying that he could post on Zuckerberg’s wall, but he wouldn’t do so as he respects people’s privacy. He received no reply from the other side. After this, he again sent another official report, detailing the bug, but this time he got an alleged answer from the security team saying “I am sorry this is not a bug.” To which Shreateh he replied: “ok, that mean [sic] I have no choice other than report this to Mark himself on Facebook.”
Shreateh won’t be rewarded
Posting on Zuckerberg’s wall did help, and the flaw was fixed shortly after Shreateh posted on Zuckerberg’s page on Thursday. The whole saga does raise questions as to why Facebook Inc (NASDAQ:FB) completely ignored the White Hat hacker’s alerts.
In its defense, a post from a Facebook Inc (NASDAQ:FB) security team member said that Shreateh’s limited English skills and lack of complete information on the bug was the reason why the security team did not immediately respond. Also, because of the Facebook’s Bug Bounty program, the company receives hundreds of bug reports daily, which further resulted in a delay.
However, the good thing is Facebook Inc (NASDAQ:FB) admitted it’s failure to follow up on the mails from Shreateh. “We should have pushed back asking for more details here,” Facebook software engineer Matt Jones wrote on Hacker News.
Bad news, Shreateh won’t be rewarded for his efforts as he violated the disclosure policy in the whole process.