People like to complain about the privacy settings on Facebook (News - Alert), saying that they’re too complicated or that it’s difficult to set a profile to be completely private. It turns out that there is another, very valid complaint that could have been made: sometimes, the privacy settings simply don’t work.
This point was proved by security researcher Khalil Shreateh last week. He discovered a bug that allowed anyone to post on anyone else’s wall, regardless of that user’s privacy settings. After trying twice to report the bug and being told both times that it was not, in fact, a bug, Shreateh decided to prove his point in a more attention-grabbing manner. If no one was going to listen to him, he would bring the issue to Facebook’s CEO, Mark Zuckerberg (News - Alert) – by making an unauthorized post on Zuckerberg’s wall, on which only friends were supposed to be able to post.
Shreateh, whose first language is not English, wrote a post beginning with: “Dear Mark Zuckerberg, First sorry for breaking your privacy and post to your wall, I has no other choice to make after all the reports I sent to Facebook team.” The bug was then acknowledged and fixed, but there are lingering questions remaining about how the Facebook team handles security bug reports.
Facebook has a system set up where security researchers earn a minimum of $500 for each critical security flaw they uncover and report to Facebook. Shreateh had been hoping to earn a reward for the bug he discovered, but Facebook has been denying his claim due to the unorthodox manner in which he chose to reveal the bug.
The money is only given out if the bug’s discoverer follows Facebook’s guidelines, which happen to include not using the bug on real people’s accounts (researchers are instead directed to create test accounts). Normally this would make sense, but considering that Shreateh attempted to report the bug through legitimate means twice and was denied, some are asking if it’s really fair to not make an exception and give the man his reward.
Despite not receiving any payout from Facebook itself, the event has given Shreateh an edge; after hearing about his white hat abilities, many companies have already offered him jobs.
Edited by Alisen Downey
View all articles