A Guy Hacked Mark Zuckerberg's Wall After Facebook Ignored His Bug Report

A Guy Hacked Zuck's Wall After Facebook Ignored His Bug Report

Khalil, a Palestinian white hat hacker, submitted bug reports to Facebook about a vulnerability that allowed him to post on anyone's wall. But Facebook's security team didn't do anything. So Khalil wrote on Mark Zuckerberg's wall about it and was generally a badarse.

Khalil explains on his blog that he submitted a full description of the bug, plus follow-up proof of its existence to the Facebook security feedback page, where researchers can win rewards of at least $US500 for finding significant vulnerabilities. Then he submitted again. The second time he got an e-mail back that said, "I am sorry this is not a bug."

When he posted on Zuckerberg's wall, Khalil said, "First sorry for breaking your privacy and post to your wall , i has no other choice to make after all the reports i sent to Facebook team ." He then detailed the situation and provided links.

Within minutes, a Facebook engineer contacted Khalil for more information and then blocked his account "as a precaution" while a security team fixed the bug. Later his account was re-enabled. But Facebook says that he cannot claim a reward for the find because in hacking Zuck's wall he violated Facebook's terms of service.

They commented that, "exploiting bugs to impact real users is not acceptable behaviour for a white hat. In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent." Facebook admits, though, that its team should have been more diligent in following up on Khalil's submission. So. Cool. Problem solved. [Khalil, RT, The Verge]


Comments

    Well; at least they are paying attention to such a serious reported bug now!

      this is precisely why i don' use social media of any type, its intrusive on your privacy the second you sign up, data is gathered and very probably sold not shared to who ever is willing to pay for it and then they have the arrogance to firstly ignore then disrespect someone who is trying hes best. what a bunch of fucking clowns.....

      but yer well said.. seems it takes a black hat these days...

    This guy should be given a job at Facebook. He's currently unemployed, well educated and can sniff out flaws like this. My two cents.

    imagines Khalil's white hat has turned a shade of grey upon hearing there would be no $5k for finding the flaw.. I imagine he could have made a bit more selling the bug to spammers.

      It's 500, not 5k

        That is so cheap of them to not pay that.
        He only used the exploit, because they didn't accept his submission through the proper channels.

          Exactly, I'm sure the bug would have been worth more than 500 had it landed in somebody elses hands.

          Tight, and massively disappointing. The kind of thing I'd expect from google, but not facebook! :P

            It's what people expect from Apple or Facebook, i would not expect it from Google.

        Actually, you are false. It would be a few grand in this case.

        I think they should pay the $500 for the bug and another $4500 with a formal apology for accusing him of "hacking" zuck's wall...

        1. The second time he got an e-mail back that said, “I am sorry this is not a bug.”

        2. But Facebook says that he cannot claim a reward for the find because in hacking Zuck’s wall he violated Facebook’s terms of service.

        If the facebook team did not recognise this as a bug, wouldn't this disprove the latter statement? If it's not a bug, then that would imply that it's functioning correctly... Yet if it's functioning correctly, how could he be "exploiting" it? Facebook should be giving a formal apology to ALL users for implying that a vulnerability to their privacy was overlooked despite multiple reports!

        Facebook team = Officially disgraced...

    Within minutes, a Facebook engineer contacted Khalil for more information and then blocked his account “as a precaution” while a security team fixed the bug. Later his account was re-enabled. But Facebook says that he cannot claim a reward for the find because in hacking Zuck’s wall he violated Facebook’s terms of service.

    Pay the man ya tight arses.

    Not only should he have received his reward, but Facebook should be thanking him for being so non-malacious in the manner in which he highlighted the flaw. He could have wreaked havoc with this flaw.

      Folks who've been unjustly spurned have done far worse.

      Not only does it show that they're idiots and fools, but it shows that they're sore and tight about it. No sense of humour or charity among them who can't offer and don't really deserve respect.

    “I am sorry this is not a bug.”
    So they know about it. They don't want to fix it. They want it to be hackable.

      How can they claim that it is against their terms of service. They said it wasn't a bug which meant that he wasn't exploiting a bug to do something he was using something they acknowledged as a feature

    Just goes to show why white hat hackers shouldnt help douchebag company's like Facebook, even if it is for $5K. The sooner I see the demise of such orgs, the better. How cheap of them for not paying him and claiming it to be an abuse of the terms of service. I bet that reward didnt include any mention of "your bug report needs to be in line with terms of use" and have just put that up as a wall to prevent him from claiming.

    Douchebags. Ignore a valid bug and then when shown proof, act like belligerent dicks. Lets hope Master Zuck demotes the "it's not a bug" douche and hires the security researcher instead.

    I'll play along even though its very clear the reward is only US$500

    GIVE HIM HIS $5MIL!

    "So. Cool. Problem solved"

    Not cool though. Another big company squirming out of their responsibilities.

    I hope he hadn't already spent the 5 trillion dollar reward

    So the moral of the story: If you find a bug, tell them what it allows you to do, but not how you do it. If they're not interested, sell it to someone else.
    If they are interested, then tell them, but only after they agree that doing something like that is a bug. Else, sell it to someone else.

    It's a dog eat dog world. If they aren't willing to cough up the funds for people who are trying to help, I have no qualms about them turning if over to someone else, because that happens everyday anyway. Though I would simply say that I was going to give it to someone else and see if they react....might need to do that from a dummy account though.

    Last edited 19/08/13 6:09 pm

      Plausible deniability works.

      "I can't be the only person to have discovered this. It's quite simple when you realize how it works. I'd hate for others to start discovering this before you found out what it was, though."

    Give him the money!! They should be thankful it wasn't a cracker that stole people's billing information and passwords. Who knows what else the security team have ignored...

    well simple he was from palestine n facebook is zionistss

    Give him 5K!!! Someone should start an online petition...

    Facebook should be totally paying him a reward, for 2 simple reasons...
    1) Next time some-one finds a bug there will be no incentive to 'do the right thing'.
    2) It's bad business practice for Facebook to punish a customer, for the mistakes it's staff have made, particularly when the customer has gone out of his way to help a complete stranger. Mr Zuck dont be a lame ass, show your gratitude, you can sure as hell afford it.

Join the discussion!

Trending Stories Right Now