Screenshot of Mark Zuckerberg's Facebook page, via Khalil Shreateh
A word to the wise: If you're looking to get paid a reward for exposing a bug on Facebook, you probably shouldn't hack Mark Zuckerberg.
In case you missed it, a white hat researcher hacked Zuckerberg's personal Facebook page Sunday to call attention to a security vulnerability, after Facebook ignored his previous attempts to report the bug. The bug in question allowed users to post on the timeline of users who weren't their "friend." To demonstrate this, the researcher, Khalil Shreateh, posted a message on Zuckerberg's wall.
Naturally, when you hack Zuck, you're going to get people's attention, and after the story had circulated through the blogosphere for a day, at 10 PM last night Facebook finally weighed in on the controversy.
Facebook Chief Security Officer Joe Sullivan admitted in a post on the site that the company was "too hasty and dismissive" with the researcher, but also that it refused to pay out the reward money—$500 for a legitimate bug—because Shreateh compromised the privacy of "a real user" in the process. (The identity of the "user" was not revealed, as if anyone didn't already know.)
"We will not change our practice of refusing to pay rewards to researchers who have tested vulnerabilities against real users," Sullivan wrote. "It is never acceptable to compromise the security or privacy of other people."
Facebook broke the news to the researcher personally, sending him this message, which Shreateh then posted on his blog:
We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site.
Facebook's White Hat program has paid out more than a million dollars to researchers that point out bugs. The policy stipulates that to quality for the bug bounty, you must not compromise the privacy of any Facebook users:
Please use a test account instead of a real account when investigating bugs. When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing. Do not interact with other accounts without the consent of their owners…Our security team will assess each bug to determine if it qualifies.
If you ask me—or the vast majority of commenters on Facebook's statement—skimping on the five hundred bucks is a bit harsh. Yes, Shreateh technically violated the policy, but Facebook did give him the brush off, more than once. And while the move to go straight to Zuckerberg was somewhat dramatic, Shreateh was polite about it. He posted this on the founder's wall:
Dear Mark Zuckerberg, First sorry for breaking your privacy and post to your wall, I has no other choice to make after all the reports I sent to Facebook team…A couple of days ago I discovered a serious Facebook exploit that allows users to post to other Facebook users timeline while they are not in friend list. I appreciate your time reading this and getting someone from your company team to contact me.
The security community, unsurprisingly, agrees that Shreateh was denied his rightful reward, and they've rallied to raise over $6,000 to compensate Shreateh for the denied reward. Marc Maiffret, the security expert and former hacker who launched the fundraising campaign, said the bug that Shreateh exposed was a serious vulnerability. "There's so many ways to leverage that in cybercrime attacks," he told Wired.
For its part, Facebook claims Shreateh's initial reports were disregarded because they weren't detailed enough. It says it receives thousands of bug reports, and only a tiny few are valid. In its statement, the company dispelled claims from yesterday that it ignored Shreateh's report because his English wasn't too good. "The breakdown here was not about a language barrier or a lack of interest—it was purely because the absence of detail made it look like yet another misrouted user report," wrote Sullivan. After his first reports went nowhere, Shreateh made the YouTube video below, describing the bug in detail.
Sure, the guy could have followed instructions better. But you still can't help but wonder if Facebook would have been a bit more flexible if the "real user" Shreateh had hacked was someone other than the boss man himself.
UPDATE: Hackers raised over $10,000 for Shreateh for future security research. The crowdfunding campaign on gofundme surpassed its goal.