Technology and bugs go hand in hand, Facebook being no exception. Mark Zuckerberg, CEO Facebook, had a rather unusual post on his wall. The wall post illustrates the Facebook Vulnerability, wherein one can write on another user’s wall without having to ‘friend’ him.
The issue was brought forth by Khalil Shreateh, an IT expert from Palestine. The expert said that he discovered the issue and reported to Mark Zuckerberg’s Facebook page only after the security team at Facebook did not attend to the issue.
As per Facebook’s rules, only friends can post on each other’s wall. However, the vulnerability lets any random user to post anything on a user’s page, even if the former is not a friend of the latter. Khalil Shreateh first used the “white hat” security disclosure service of the social network to report the bug, which assures $500 for genuine bugs.
However, the IT expert met disappointment when the Facebook security team completely ignored his demonstration. In fact, a Facebook security engineer wrote to Shreateh, “sorry this is not a bug.”
Nevertheless, the vigilant Shreateh went ahead and shared his experience with Mark Zuckerberg via a post on his wall. He wrote, “couple of days ago I discovered a serious Facebook exploit that allows users to post to other Facebook users timeline while they are not in friend list.” The Palestinian IT person added, “I appreciate your time reading this and getting some one from your company team to contact me.”
His efforts were borne fruit as the Facebook security contacted him for further details. Shreateh’s FB account was also disabled as a ‘precautionary’ measure. A FB engineer communicated with Shreateh, “When we discovered your activity we did not fully know what was happening. Unfortunately, your report to our Whitehat system did not have enough technical information for us to take action on it. We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue.”
Sadly, the FB engineer (Joshua) informed Shreateh that he is not eligible for the $500 reward as he violated Facebook’s terms of service. “We do hope, however, that you continue to work with us to find vulnerabilities in the site.”
A Hacker News post from a Facebook security engineer this Saturday confirmed that the issue has been solved.