Zuckerberg's Personal Facebook Page Hacked!
One Way to Get Facebook's attention: Hack Zuckerberg's Personal Page
August 19, 2013
Khalil Shreateh via Blogspot
Khalil Shreateh's post on Mark Zuckerberg's wall, as shared by Shreateh. A security researcher attempting to report a site vulnerability to Facebook’s security team got the kind of robotic non-response that civilian users often gripe about when reporting problems to the world’s largest social network. So how did he finally get the company's attention? In a dramatic attempt to raise awareness of this privacy hole, he used that very exploit to post a bug report on CEO Mark Zuckerberg's page.
When he hacked the site, Palestinian developer Khalil Shreateh did get Facebook's attention. But he didn't receive the $500 minimum from Facebook's Bug Bounty program, which — in keeping the site's hacker pose — offers rewards to infrastructure sleuths. He didn’t get a thank-you note. Nobody bought him a Coke. Instead, for violating Facebook’s terms of service — "Thou shalt not hack Facebook" — Shreateh got his own Facebook profile bounced from the site, at least temporarily.
When it comes to customer communication, Facebook’s lack of it is legendary. Alerting the media or launching an online petition seems like the only way some disgruntled users could receive resolution. When mastectomy and breast feeding images get knocked off the site, when non-famous people with celebrity names try to prove they're real too, when the most tasteless content remains in plain view, emails to the social network don't work — change only comes when someone draws attention from the outside.
So while hacking Mark Zuckerberg's personal page is no way to, "friend," the young billionaire, you can understand why a fed-up security researcher might resort to it.
Hacking Zuckerberg’s wall wasn’t Shreateh’s first course of action. Just like the mom who resorted to a Change.org petition when Facebook banned the photo of her son competing in the Special Olympics or the guy who turned to BuzzFeed after the social network refused to un-memorialize his profile after a prankster reported him dead, Shreateh first attempted the proper channels.
Shreateh, whose first language is Arabic, details his correspondence with Facebook’s security team on his blog. He describes — in shaky but understandable English — the flaw that allows users to post to Facebook timelines of users with whom they aren’t friends. In his report, Shreateh included a screenshot of the bug — a post he was able to make to the profile of Sarah Goodin — Zuck’s college friend and the first woman to join The Facebook, (as they called it back in the day).
"I am sorry this is not a bug," is the response he received.
A few frustrated emails later, Shreateh posted to Zuckerberg’s wall.
“First, sorry for breaking your privacy and post to your wall,” reads an image Shreateh describes as a screenshot of his post. “I has [sic] no other choice to make after all the reports i sent to Facebook team.”
Within minutes, Shreateh says, he was contacted by Facebook security and asked to detail his exploit. Also, his Facebook account was disabled, he was told, “as a precaution.”
Shreateh's Facebook profile was later reinstated — he's currently using a photo of NSA leaker Edward Snowden — but he shouldn't expect any further recompense. In a contentious forum discussion on Hacker News, which first reported the story, Matt Jones, a member of Facebook's security team, explains that Shreateh violated Facebook's Terms of Service for posting on both Goodin and Zuckerberg's Facebook pages.
When we contacted Facebook, the company stood by Jones' statement. Here's an excerpt:
“In order to qualify for a payout, you must make a good-faith effort to avoid privacy violations ... [and] use a test account instead of a real account when investigating bugs. ... [Facebook] will pay out for future reports from [Shreateh] if they’re found and demonstrated within these guidelines.
"Well according to Facebook, 'this is not a bug,'" one Hacker News forum user remarked in the ongoing debate over whether Shreateh deserves the bug bounty. "Which means the feature works as intended. If he is using Facebook as it is intended, then how can he be breaking the [Terms of Service]?"
Do you have a complaint or comment for Facebook? Send 'em a note. Emotionless unresponsive automatons are standing by!
[color="blue"]Now I know! They never listen to complaints![/blue]
|The Following User Says Thank You to Nellie Bly For This Useful Post:|
Re: Zuckerberg's Personal Facebook Page Hacked!
So he didn't hack it? It's just a feature that is available that maybe shouldn't be? I'm confused.