Hacker discovers serious Facebook security flaw, denied $500 reward

Palestinian hacker discovered a serious security flaw with Facebook that allows users to post to anyone’s Facebook Timeline, regardless of whether or not they’re friends. The hacker, Khalil Shreateh, proved his point by posting directly to the private Facebook wall of Mark Zuckerberg. Unfortunately, Shreateh’s method may have cost him at least a $500 reward.

Facebook claims that Shreateh violated the company’s terms of service for its bounty program by exploiting a user’s Timeline (and Facebook’s founder and CEO isn’t just any user) to expose the bug. The decision has created a controversy in the hacker community. Some argue that Shreateh should have paid closer attention to Facebook’s rules; others argue this was the best way for the hacker to demonstrate the flaw and the damage he prevented outweighs a minor violation of Facebook’s terms.

image

After discovering the bug, Shreateh posted to the Timeline of Sarah Goodin, a Havard classmate and friend of Zuckerberg. Goodin’s Facebook profile is private. He sent an email to Facebook’s security team with a link to the post.

Facebook couldn’t see the post due to Goodin’s privacy settings and responded that the link only gave an error. Shreateh pointed this out only to get a response that said, “Hi Khalil, I am sorry this is not a bug.”

The hacker decided the only way he would get Facebook’s attention was to post directly to Zuckerberg’s wall, explaining how the security team was ignoring a pretty major vulnerability. Just image the damage malware spammers could do if given the ability to post on every Timeline on Facebook, regardless of a user’s privacy settings.

Read more from the International Business Times & Mashable.

Watch the video in which Shreateh explains how he managed to access multiple Facebook pages. 

  1. nolandwithoutstones reblogged this from theimeu
  2. theimeu posted this
blog comments powered by Disqus


Tweets by @theIMEU