Do I have your attention now, Mr Zuckerberg?
A Palestinian information systems analyst took the social network by surprise after posting details of how he discovered serious security vulnerabilities on Facebook founder and CEO Mark Zuckerberg’s personal Facebook wall.
The vulnerability, which was reported by a man called ‘Khalil,’ allows any Facebook user to post anything on the walls of other users - even when those users are not included in their list of friends.
‘Khalil’ had reported the vulnerability to the Facebook security team but was ignored. “Sorry, this is not a bug,” Facebook’s security team said in response to Khalil’s second report, in which he offered to reproduce the discussed vulnerability on a test account of a Facebook security expert.
Khalil then posted a video on YouTube showing how the vulnerability worked, and how a person equipped with the knowledge could have posted on anyone’s Facebook page. After the second and third posting to Facebook’s engineering team, Khalil posted a message on Zuckerberg’s wall:
Within minutes of the post, Khalil’s account was shut down and a Facebook engineer contacted him asking for all relevant information relating to the vulnerability. The account was eventually reinstated and he was encouraged to discover and notify the company about security vulnerabilities on the Facebook platform. Khalil reported the vulnerability through Facebook’s security feedback page, which offered a minimum reward of US$500 for each real security bug report, but initially had been ignored.
"White hat" refers to an ethical computer hacker, or a computer security expert, who specializes in penetration testing and in other testing methodologies to ensure the security of an organisation's information systems.
Facebook were refusing to pay the reward claiming Khalid acted out-with Facebook’s terms and conditions. It is unclear what he is said to have violated. Facebook will pay out a minimum of $500 for each security breach reported. There is no upper limit of reward.
Facebook spent $40,000 (£25,000) in the first 21 days of a program that rewards the discovery of security bugs. One security researcher has been rewarded with more than $7,000 for finding six serious bugs in the social networking site. Facebook had originally set up a system to handle these reports in 2010 which promised not to take legal action against those that find bugs and gave it chance to assess them under the company's "white hat" policy.