A security researcher named Khalil Shreateh has discovered a Facebook bug that allowed anyone to post on another person’s wall even if they are not friends. He was able to prove that the Facebook bug was legit and he reported it to Facebook’s security team. After a lack of response, Khalil took drastic actions by posting on Facebook CEO Mark Zuckerberg’s wall.
Before posting on Zuckerberg’s wall, Khalil demonstrated the bug by writing on the wall of Sarah Goodin, a college friend of Zuckberg’s and the first woman on Facebook. Since the Facebook Security team member that clicked the link was not friends with Goodin and her wall was set visible to friends only, he could not see Khalil’s post. The Facebook Security team did not over-ride the privacy settings in this case.
?I don?t see anything when I click the link except an error,? said the Facebook Security team member. Khalil submitted the bug with the same link again and said that anyone investigating the link would need to either be Goodin’s friend or would need to use their authority to view the private post. The Security team member said “I am sorry this is not a bug.”
This is when Khalil decided to post on Zuckerberg’s wall.
?Sorry for breaking your privacy [to post] to your wall,? said Khalil’s post, ?i [had] no other choice to make after all the reports I sent to Facebook team.? Facebook engineers reached out to Khalil within minutes to learn more about the bug.
As part of Facebook’s bug bounty program, security researchers are paid $500 for each bug that they report responsibly. The size of the bounty is increased with the severity with no set maximum. Khalil likely will not receive the bug bounty since the researchers are asked to use test accounts for investigations rather than the accounts of other Facebook users. The reports did not include enough detail of how to reproduce the bug.
“Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it. We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue. When you submit reports in the future, we ask you to please include enough detail to repeat your actions,” said Facebook in response to Khalil. “We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site.”