14 DAY TRIAL // A security researcher from Palestine has sparked a lot of controversy after demonstrating a Facebook vulnerability on the profile of Mark Zuckerberg, the social network’s founder.
Initially, Khalil Shreateh attempted to responsibly disclose the vulnerability which allowed anyone to post a link to any Facebook customer’s timeline. He attempted to prove his point by posting on the account of Sarah Goodin, a friend of Zuckerberg’s.
However, Facebook didn’t quite understand what he was trying to demonstrate, so his reports were ignored.
Well, his reports were ignored until he decided to exploit the security hole to post a message on Zuckerberg’s profile. After that, he was contacted by Facebook within minutes.
Facebook has addressed the vulnerability, but the company says it will not reward Shreateh because he has violated the terms of service of the bug bounty program.
In a post on Hacker News, a member of Facebook’s security team argued that the expert didn’t provide sufficient details right from the beginning, which made them think this was just another one of the many daily reports that are “nonsense or misguided.”
Also, the fact that Shreateh’s English isn’t great only made matters worse. As he admits, he doesn’t care much for correcting spelling mistakes.
“However, the more important issue here is with how the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behavior for a white hat,” the Facebook engineer noted.
This is particularly problematic considering that the social media website allows security researchers to create special test accounts.
Some industry members believe Facebook should make an exception and pay Shreateh, despite the rules violation. After all, he did help the organization address a critical issue.
However, others agree with Facebook. They argue that the Palestinian researcher made many mistakes in the way he reported the issue.
If Facebook makes an exception in this case, others might see it as a green light to demonstrate their findings by using real accounts.