Every now and then, a billionaire bigshot needs to be taught a lesson. Khalil Shreateh schooled Facebook founder Mark Zuckerberg and didn’t even get paid for it.
The humble Palestinian hacker found a rare Facebook glitch that would allow anyone to post on a stranger’s wall on the social-media site, but was ignored by company brass when he told them about it. That’s when Shreateh decided to prove his point by writing about the issue on Zuckerberg’s own wall.
Last week, Shreateh contacted the Facebook security folks after he had already proved the potentially disastrous glitch was for real by writing on the wall of Sarah Goodin, a close friend of Zuckerberg’s dating back to his Harvard days.
Shreateh’s politely worded missive to Facebook: “My name is Khalil Shreateh. I finished school with B.A degree in Information Systems. I would like to report a bug in your main site (www.facebook.com) which i discovered it … The bug allow Facebook users to share links to other facebook users, I tested it on Sarah.Goodin wall and I got success post.”
Shreateh, whose first language is Arabic, lives in Palestine and hoped his ability to post to Goodin’s wall would prove his case to Facebook security.
But instead of fixing the pretty obvious security breach, Facebook responded to Shreateh by telling him the issue “was not a bug.”
To prove his point, Shreateh then used that very same glitch to hack his way onto Zuckerberg’s personal Facebook page.
Shreateh’s post: “Sorry for breaking your privacy. I had no other choice … after all the reports I sent to Facebook team.” His non-threatening memo to Zuckerberg recounted his attempts to warn the social-media site and a throw to his own personal blog.
And presto, his generous gesture received a response in minutes. Facebook flunkies were immediately all over Shreateh, demanding to know how he had hacked their boss’s personal page. (The post has since been removed.)
In a Saturday post on the watchdog website Hacker News, Facebook security team member Matt Jones crowed, “We fixed this bug on Thursday.”
Facebook has a widely known bounty program that is designed to bribe hackers into reporting glitches they find rather than exploiting them. The average payout is around $500 (U.S.).
But in that same wheedling mea culpa, Jones said that Shreateh will not be receiving a bonus check for reporting their mistake.
“In order to qualify for a payout, you must make a good faith effort to avoid privacy violations … and use a test account instead of a real account when investigating bugs,” said Jones in his HackerNews post.
Shreateh did them a favour, but according to Jones, when he posted to Zuckerberg and Goodin’s accounts, he also violated the website’s terms of service. Just last month, Forbes estimated that Zuckerberg’s personal wealth had swollen to $16.1-billion.
But Facebook did appreciate Shreateh’s gesture, sort of.
Jones’ post on HackerNews invited him to tell them about any future glitches and maybe then they can talk money. “We will pay out for future reports from him,” Jones said, “if they’re found and demonstrated within these guidelines.”
But will Shreateh even bother looking for glitches anymore after Facebook’s response to his initial efforts?