Quantcast
Get breaking news alerts via email

Click here to manage your alerts
Zuckerberg’s Facebook page hacked by unemployed web developer
First Published Aug 19 2013 03:07 pm • Last Updated Aug 19 2013 03:14 pm

An unemployed Palestinian developer named Khalil Shreateh tried several times to report a bug to Facebook’s security team. When no one got back to him, he took the (dubiously) logical next step: exploited the bug to leave a public comment on Facebook CEO Mark Zuckerberg’s wall.

"First sorry for breaking your privacy and post to your wall," an apparent screenshot of the hack reads. "I has [sic] no other choice to make after all the reports i sent to Facebook team."

Join the Discussion
Post a Comment

The break-in, detailed on Shreateh’s blog (and in several agitated posts from Facebook developers on Hacker News), has been more than a little embarrassing for Facebook.

But it’s not exactly newsworthy that Shreateh found a bug — that happens all the time. In fact, Facebook runs a program that encourages white hat hackers to find and report bugs in Facebook infrastructure in exchange for a cash reward. What is unusual is that Facebook didn’t respond to Shreateh’s initial reports about the bug, and that Shreateh then exploited it in violation of Facebook’s policies for white hat hackers.

"The more important issue here is with how the bug was demonstrated using the accounts of real people without their permission," insisted Matt Jones, a Facebook software engineer, on the forum Hacker News. "Exploiting bugs to impact real users is not acceptable behavior for a white hat."

So why didn’t Facebook respond right away to Shreateh’s reports? Judging by the email threads with Facebook’s security team that Shreateh posted on his blog, it looks like his bug was lost — literally — in translation. Shreateh’s English is a little shaky, and the Facebook developer he corresponded with doesn’t seem to understand the report:

"Rhe vulnerability allow’s facebook users to share posts to non friends facebook users , i made a post to sarah.goodin timeline and i got success post . . . of course you may cant see the link because sarah’s timeline friends posts shares only with her friends , you need to be a friend of her to see that post or you can use your own authority ."

"I am sorry this is not a bug," a Facebook employee reportedly fired back.

On Hacker News, Jones explains that they often get reports from "people whose English isn’t great," and that usually "it’s something we work with just fine." According to Facebook’s own reports, the company relies heavily on international white hat hackers to keep its system secure — of the 329 legitimate bugs reported by white hats in the past two years, more than 260 came from outside the U.S.

The network joins several other tech companies, including Google, Microsoft, PayPal and Mozilla, that pay bounties to white hat hackers and rely on them to help keep systems secure.


story continues below
story continues below

Shreateh reports he will not, however, receive a bounty for his work — per an email from Facebook, he violated the terms of the program when he hacked Zuckerberg’s account. That has enraged some in the security community, who argue Shreateh exposed an important vulnerability in good faith, using the only means available. The bug has since been fixed, according to Jones’s Hacker News post.

"I can talk hours and hours about facebook security team and their secure style, that may take them down by hackers, that mean iam [sic] not a bad hacker and i never been," Shreateh posted on his Facebook Sunday night. His current Facebook avatar is a photo of Edward Snowden. "You should know that iam not a hacker."



Copyright 2014 The Salt Lake Tribune. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

Top Reader Comments Read All Comments Post a Comment
Click here to read all comments   Click here to post a comment


About Reader Comments


Reader comments on sltrib.com are the opinions of the writer, not The Salt Lake Tribune. We will delete comments containing obscenities, personal attacks and inappropriate or offensive remarks. Flagrant or repeat violators will be banned. If you see an objectionable comment, please alert us by clicking the arrow on the upper right side of the comment and selecting "Flag comment as inappropriate". If you've recently registered with Disqus or aren't seeing your comments immediately, you may need to verify your email address. To do so, visit disqus.com/account.
See more about comments here.
Staying Connected
Videos
Jobs
Contests and Promotions
  • Search Obituaries
  • Place an Obituary

  • Search Cars
  • Search Homes
  • Search Jobs
  • Search Marketplace
  • Search Legal Notices

  • Other Services
  • Advertise With Us
  • Subscribe to the Newspaper
  • Access your e-Edition
  • Frequently Asked Questions
  • Contact a newsroom staff member
  • Access the Trib Archives
  • Privacy Policy
  • Missing your paper? Need to place your paper on vacation hold? For this and any other subscription related needs, click here or call 801.204.6100.