Facebook has blamed a misunderstanding for an embarrassing incident last week in which founder Mark Zuckerberg’s Timeline was hacked to draw attention to a security flaw a researcher believed was being ignored by firm.
As QEDs go, what Palestinian researcher Khalil Shreateh did to try and earn a bug bounty under Facebook’s Whitehat program counts as an unorthodox but effective way of grabbing the firm’s attention by any means necessary. But should it have come to that?
Shreateh had discovered a bug that would allow anyone to post to a Wall even if not on an individual’s friend list, demonstrating its effectiveness by posting to the private Timeline of Sarah Goodin, someone connected to Mark Zuckerberg from his college days.
After reporting the issue for a second time and being told “sorry, this is not a bug,” Shreateh decided to show off the flaw on the one Timeline that might grab some attention, that of Mark Zuckerberg.
“Dear Mark Zuckerberg, first sorry for breaking privacy and post to your wall, I has no other choice to make after all the reports I sent to Facebook team,” he wrote in the note on the founder’s Wall. “My name is KHALIL from Palestine.”
The researcher then linked to his reports and the replies he had received from Facebook.
Not long after that Shreateh had his account temporarily disabled and received the following message: “Facebook disabled your account as a precaution. When we discovered your activity we did not fully know what was happening.”
The message went on to say that his report of the flaw had not contained enough information and that because he had not used the correct reporting procedure he would not be paid under the Whitehat system.”
“We do hope, however, that you continue to work with us to find vulnerabilities in the site.”
Facebook’s security team later defended its action on the Hacker News forum, stating that the researcher had only sent a link to the unauthorised posting on the Wall of Sarah Goodin.
While admitting the team should have clarified the issue more carefully, Facebook’s representative went on to say that “many of our best reports come from people whose English isn’t great – though this can be challenging, it’s something we work with just fine and we have paid out over $1 million to hundreds of reporters.”
Facebook currently received hundreds of reports every day and had fixed the flaw reported by Shreateh, the firm said. Its Terms of Service (ToS) clearly explained the reporting procedure in a number of languages, including Arabic.
The incident will nevertheless embarrass Facebook. A potentially significant security issue was ignored by someone attempting to report it in good faith. Critics might point out that the fact the firm clearly prefers to receive word of security issues in English is beside the point – what if a researcher doesn’t speak English?
Some Hacker News argued that while Facebook’s hardline stance on paying Shreateh was technically correct, it might still reinforce the view in some quarters that researchers could earn more by selling or ‘Black Hatting’ flaws to the highest bidder.