clock menu more-arrow no yes

Filed under:

Facebook ignored security bug, researcher used it to post details on Zuckerberg's wall

New, 126 comments
Facebook Nasdaq NYC Stock
Facebook Nasdaq NYC Stock

If your Facebook profile isn't public, others aren't supposed to be able to post content on your wall. Khalil Shreateh, a self-professed IT expert from Palestine, claims to have discovered a vulnerability that lets anyone post a link to other Facebook walls. Shreateh says he reported the bug to Facebook recently, but instead of taking him seriously he claims the company ignored the problem and decided it wasn't a bug.

Facebook didn't take the bug report seriously

In a lengthy blog post outlining the timeline of events, Shreateh says he tested the vulnerability on Sarah Goodin — a friend of Facebook CEO Mark Zuckerberg, and the first woman to sign up to the service — before reporting it through Facebook's whitehat disclosure service for security researchers. The whitehat service rewards researchers with at least $500 for successful bugs. In a copy of an email sent to Facebook, Shreateh explains the details and notes that the security team might not be able to see his test post as Goodin restricts posts to only her friends. Despite attaching a screenshot of the post, a Facebook security engineer, identified only as Emrakul, replied saying "I am sorry this is not a bug," without asking for additional information.

Unperturbed by the response, Shreateh decided to notify Mark Zuckerberg himself by posting to his timeline. Minutes later, Facebook security engineer Ola Okelola contacted Shreateh requesting details on the exploit. Facebook disabled his account, presumably fearing a wider security breach. Shreateh's account has now been re-enabled, but the company claims his original report "did not have enough technical information" for them to take action. In an email to Shreateh, a Facebook security engineer — identified as Joshua — claims the company is "not able to pay you for this vulnerability because your actions violated our Terms of Service."


Although details of the exact exploit do not appear to have been made available publicly, if Shreateh had gone public and not alerted the company using its recommended disclosure policy then it's likely this type of exploit would have been used to spam Facebook users with malicious links. The Verge has reached out to Facebook to verify the details of the bug and why Shreateh's reports weren't taken seriously, and we'll update you accordingly.

Update: In a response posted at Hacker News, a Facebook engineer writes that the bug was fixed on Thursday and that the company should have asked for additional instructions after the researcher's initial report. But Facebook reiterated claims that Shreateh violated the company's TOS, writing that "exploiting bugs to impact real users is not acceptable behavior for a white hat. In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent." The full response can be read here.