18 August 2013 - 8:41am | posted by | 4 comments

Hacker reveals Facebook vulnerability by posting on Mark Zuckerberg's wall

Do I have your attention now, Mr Zuckerberg?

A Palestinian information systems analyst took the social network by surprise after posting details of how he discovered serious security vulnerabilities on Facebook founder and CEO Mark Zuckerberg’s personal Facebook wall.

The vulnerability, which was reported by a man called ‘Khalil,’ allows any Facebook user to post anything on the walls of other users - even when those users are not included in their list of friends.

‘Khalil’ had reported the vulnerability to the Facebook security team but was ignored. “Sorry, this is not a bug,” Facebook’s security team said in response to Khalil’s second report, in which he offered to reproduce the discussed vulnerability on a test account of a Facebook security expert.

Khalil then posted a video on YouTube showing how the vulnerability worked, and how a person equipped with the knowledge could have posted on anyone’s Facebook page. After the second and third posting to Facebook’s engineering team, Khalil posted a message on Zuckerberg’s wall:

Creative Review: 

Within minutes of the post, Khalil’s account was shut down and a Facebook engineer contacted him asking for all relevant information relating to the vulnerability. The account was eventually reinstated and he was encouraged to discover and notify the company about security vulnerabilities on the Facebook platform. Khalil reported the vulnerability through Facebook’s security feedback page, which offered a minimum reward of US$500 for each real security bug report, but initially had been ignored.

"White hat" refers to an ethical computer hacker, or a computer security expert, who specializes in penetration testing and in other testing methodologies to ensure the security of an organisation's information systems.

Facebook were refusing to pay the reward claiming Khalid acted out-with Facebook’s terms and conditions. It is unclear what he is said to have violated. Facebook will pay out a minimum of $500 for each security breach reported. There is no upper limit of reward.

Facebook spent $40,000 (£25,000) in the first 21 days of a program that rewards the discovery of security bugs. One security researcher has been rewarded with more than $7,000 for finding six serious bugs in the social networking site. Facebook had originally set up a system to handle these reports in 2010 which promised not to take legal action against those that find bugs and gave it chance to assess them under the company's "white hat" policy.

Comments

18 Aug 2013 - 09:02
PhilWhomes
2
comments

Surely Facebook are asking for trouble by not rewarding white-hackers. I imagine the nature of the hack - posting on Zuckerberg's wall - has annoyed and embarrassed them so much that they are refusing to pay due to annoyance and spite.

3
0
18 Aug 2013 - 11:29
therealbobfeens
1
comments

surely they should hire him http://www.buzzolo.com/blog.html

1
0
18 Aug 2013 - 13:15
geece11117's picture
1
comments

Spiteful nerds at Facebook who have been embarrassed by this "white hacker". The CEO should launch an internal investigation to identify those who (a) Ignored the offer of info on more than one occasion (b) Closed the account. Once the jerks are identified, ascertain whether they are in breach of their terms and conditions of employment, sack them if they are and offer the "white hacker" a job as their replacement.

5
0
19 Aug 2013 - 10:39
martynstead
1
comments

@geece11117 Well said, I couldn't agree more

0
0

Write Your Comment

New to The Drum

You will be sent a verification email. Click on the link in the email to post your comment.

Directory Latest