Back in August, Khalil Shreateh, a Palestinian security researcher listing his job status as “unemployee” discovered a bug on Facebook, the world’s largest social network, that gave him the ability to post content on any other user’s timeline. He then did what any entrepreneurial young security researcher would do: he went straight to the top, explaining exactly what he had discovered with a post on the wall of Facebook founder and CEO Mark Zuckerberg.
That’s right, he disclosed the details of his bug by exploiting the flaw in order to post the details of it on the timeline of Facebook’s CEO.
To be clear, Shreateh claims he had attempted multiple times to disclose his bug to Facebook’s White Hat program, but there was a misunderstanding between the two. Apparently Shreateh wasn’t providing enough technical information. Facebook would later confirm the existence of the bug, deactivate Shreateh’s Facebook account, and ultimately award him no bounty for the bug, explaining that he had violated the terms of service with his demonstration.
Surprisingly, the incident was little more than a misunderstanding. Facebook reactivated Shreateh’s account shortly after having deactivated it.
In fact, a Facebook spokesperson told Threatpost via email that Shreateh has since reported more bugs to their White Hat program, following the correct guidelines for these, and receiving bounty payments in turn.
The vulnerability here isn’t an incredibly critical one, but Facebook users should not be able to post content on or even view the walls of anyone other than their friends, unless the user receiving the content has gone into their settings and specifically allowed everyone to post on their wall.
Sheateh disclosed the bug through Facebook’s White Hat program by performing the attack on a seemingly random user. Initially, the security team at Facebook responded to Sheateh telling him that what he found was not a bug, which, Sheateh claims, is why he then had to perform the attack again, publishing a post on Zuckerberg’s timeline to show that there was indeed a vulnerability.
This, of course, is not what most researchers would consider responsible disclosure, which is likely the reason why Sheateh did not receive a bounty payment when Facebook eventually acknowledged the bug.