Facebook founder and chief executive Mark Zuckerberg has had his profile page hacked by a Palestinian IT security researcher, after the social network ignored his warnings that a glitch in the site allowed anyone to post on a stranger’s wall.
Khalil Shreateh, a systems information expert from Palestine, attempted to report the vulnerability to Facebook’s security team twice, demonstrating that the glitch was real by posting an Enrique Iglesias video on the wall of one of Zuckerberg’s college friends, Sarah Goodin, with whom he was not connected.
However, Facebook dismissed his warnings, claiming that the issue “was not a bug”, as only Goodin’s friends were able to see the post on her wall.
Frustrated, Shreateh decided to use the glitch to hack into Mark Zuckerberg’s profile page. In a post which has since been removed, he apologised for breaking Zuckerberg’s privacy, adding: “I had no other choice… after all the reports I sent to Facebook team”.
In less than a minute, Shreateh’s Facebook account was suspended and he was contacted by a Facebook security engineer requesting all the details of the exploit.
Palestinian Khalil Shreateh, the man who clains to have hacked Facebook founder Mark Zukerberg’s home page, sits in front of his his computer at his home in the West Bank town of Yatta south of Hebron. (ABED AL HASHLAMOUN/EPA)
Facebook has a policy that it will pay a minimum $500 bounty for any security flaws that a hacker finds. However, the company has refused to pay Shreateh for discovering the vulnerability because his actions violated Facebook’s Terms of Service.
In a Hacker News thread, Matt Jones from Facebook’s security team confirmed that the bug has now been fixed, admitting that the company should have asked more details after Shreateh’s initial report.
“We get hundreds of reports every day. Many of our best reports come from people whose English isn’t great – though this can be challenging, it’s something we work with just fine and we have paid out over $1 million to hundreds of reporters,” he said.
“However, many of the reports we get are nonsense or misguided, and even those (if you enter a password then view-source, you can access the password! When you submit a password, it’s sent in the clear over HTTPS!) provide some modicum of reproduction instructions. We should have pushed back asking for more details here.”
Shreateh has made the following video demonstrating the exploit: