ID: IRCNE2013081932
Date: 2013-08-20
According to “ITPro”, an information systems specialist from Palestine has publicly exposed a Facebook security flaw on founder Mark Zuckerberg’s timeline, after the company’s security team denied its existence.
The researcher, who goes by the name of Khalil, found a vulnerability that allows people to post to anyone else’s timeline, irrespective of whether or not the poster and the recipient are friends.
Khalil flagged the issue via Facebook’s White Hat security programme, which promises $500 for each flaw found.
He also did demonstrations of him posting to another person’s wall without them being a friend, but the Facebook security team responded by claiming it did not constitute a bug.
Khalil relpied, stating “ok, that mean (sic) I have no choice other than to report this to mark (sic) himself on facebook” – and proceeded to do so.
The post from Khalil to Zuckerberg’s facebook timeline apologised for breaking the billionaire’s privacy but said he had “no other choice ... after all the reports I sent to [the] Facebook team”.
The message concluded: “I appreciate your time reading this and getting someone from your company team to contact me.”
Khalil claims his account was disabled within minutes of the post with the company initially telling him it had the right to disable any Facebook account without giving a reason.
Shortly afterwards, a member of the Facebook team said they had disabled his account as a precaution. “When we discovered your activity we did not fully know what was happening. Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it. We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue. When you submit reports in the future, we ask you to please include enough detail to repeat your actions.
“We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site.”
Facebook has confirmed Khalil’s account of events and that the messages he received from the security team are genuine.
- 2