If you want to prove anything, hack the whole system. This is the message that sent a security researcher to Mark Zuckerberg’s team through Facebook CEO’s account. Khail Shreteh, the researcher, discovered a bug on Facebook that allows you to post to anybody’s wall even if he is not your friend. He wanted to prove his work and that this bug is real and he chose a really strange, yet effective way to do it. Facebook wasn’t delighted by this and we can say that it has made them a bit angry.
Security researches can be tough to deal with sometimes and this Palestinian researcher wrote that he is sorry for breaking his privacy and using the bug for posting on Mark’s wall but he claimed that he has no other choice after he sent numerous reports to his team. This researcher says that he is unemployed with a degree of information system specialist. This bug that allows you to write on Facebook users’ wall is a big exploit and can be an attack goal for many spammers. Not only them, but scam artists and hackers could take advantage of this flaw to threat the security of 1 billion users that are using this social network.
On his official blog post, he showed all the e-mails that were sent to Facebook’s team in order to fix this bug and we could see that they haven’t received a clear response. On his first e-mail he received some kind of response of a Facebook’s employee that said to him the link was bad. It seems that he was trying to prove its point even by posting a video through a woman’s account that went to the same college with Mark Zuckerberg. He doubted that the team couldn’t see the problem because none of them were on hers friends list. To his second message, Facebook has responded that the thing he is sending to them is not a bug and can’t cause any problems.
Before even breaking to Mark’s privacy, he warned them that he has no other choice other than showing this to Mark on Facebook. Posting the message, he got their attention and we can expect them to be more serious next time when they receive something like this from a security researcher. Facebook reported that this bug was fixed few days ago but this report began to take over the Web though the weekend and caused lots of questions to be sent to Facebook’s address.
A Facebook Team member has said that Khalil’s language barrier and numerous reports which Facebook received for short period of time were the main reason for their slow response. Jones tried to get the load of Facebook’s shoulders saying that all he reported was a message about a bug that let all users post links to other Facebook customers. The most interesting part is that this research won’t receive his award for discovering a bug because violated the terms of service.
Even though he found a major bug that can cause lots of security problems, he would have gained the respect if he has returned to Facebook’s team that is in charge for security. More evidence and explanation would give him the award and if this team didn’t listen than the second option is taking this to a tech journalist for making a report. Posting a bug issue through CEO’s official account is violating and won’t do you any good.
However, I must admit that I’m already a fan of his simply because it takes a lot of courage to do something as serious as breaking to Facebook CEO’s privacy on his own social network.