Mark Zuckerberg is a billionaire who owns one of the largest Internet companies in the world. But as an unemployed security researcher proved last week, even the most powerful man on the net can be hacked when Facebook disregards a security tip.
Recently, Palestinian security researcher Khalil Shreateh found a vulnerability that allowed him to disregard Facebook privacy settings and post to anyone’s wall – even people who were not his friends. He reported the security hole to Facebook using the site’s White Hat bug-reporting system, but had difficulty communicating the problem in English. As a result, Shreateh’s concerns were misunderstood and dismissed.
Feeling he was out of options, Shreateh decided to go over the heads of Facebook’s Security team and report the issue directly to the CEO using the bug. Wrote Shreateh directly on Zuckerberg’s timeline: “First sorry for breaking your privacy and post to your wall, I has no other choice to make after all the reports I sent to Facebook team [sic].”
Within minutes, a Facebook security engineer contacted Shreateh to get more information about the privacy problem. The issue has now been resolved, but not before Shreateh’s account was suspended “as a precaution.” It does not appear as if anyone exploited the vulnerability in a malicious manner before it was patched.
Normally, Facebook offers a $500 minimum bounty to those who report bugs and security vulnerabilities via the site's White Hat program. But because Shreateh broke a number of the program’s rules – hacking an account without permission is a no-no, even to prove a point – no money will be awarded. Facebook has since reinstated Shreateh's account.