After discovering a major flaw in Facebook’s security, Palestinian programmer Khalil Shreateh tried to collect the $500 reward that Facebook hands out to people once they discover vulnerabilities. However, things did not go as planned and Shreateh was unable to get a response from Facebook after sending over the flaw.
He tried multiple times to get a response from Facebook’s security team but never received a reply, so he went about things in a different fashion. Shreateh used the flaw that he had discovered to hack into Facebook CEO Mark Zuckerberg’s personal Facebook account. After exploiting the hack, Shreateh was able to post on Zuckerberg’s timeline even though he was not on his friends list.
The hacker wrote to the Facebook founder, stating:
Sorry for breaking your privacy. I had no other choice to make after all the reports I sent to Facebook team … as you can see i am not in your friend list and yet i can post to your timeline.
Although he is now unable to claim the reward, Shreateh is being praised by regular users as well as people in the security community that have always pointed out issues with Facebook’s privacy and security settings. Facebook software engineer Matthew Jones attempted to write off Facebook’s decision to ignore the report by stating that Shreateh’s initial email was “poorly worded.”
Even if Jones is telling the truth and the report from Shreateh was not worded in a way that was easy to read, things should have been followed-up so that more information regarding the vulnerability could be provided. Had the hacker publicly explained the hack rather than doing what he did, tons of people could have potentially exploited it and ruined Facebook’s reputation.
Facebook has since fixed the bug as of last Thursday with virtually no comment being officially provided by the company.