Hacker gets over $12,000 for hacking Zuckerberg's Facebook account
A hacker will receive over $12,000 from wellwishers after hacking Facebook CEO Mark Zuckerberg’s Facebook account. The hacker, who was repeatedly dismissed by Facebook when he tried to report a security flaw, eventually used it to gain access to Zuckerberg's account. Facebook didn't reward him – but the community did.
Facebook stuff replied that they got an error when they clicked on the link. What they didn't realise was that they couldn’t see the post Shraeteh had had unless they were friends with her on Facebook. Shraeteh could, because he had made the post.
Shraeteh replied, asking them to make a test account that they controlled, so that he could show them how he could post to their account.
Then, came the reply:
Hi Ḱhalil, I am sorry this is not a bug.
Really? Shraeteh decided to prove them wrong. He posted a link to Zuckerberg’s timeline with links to a video replaying the exploit, apologizing for the post but pointing out that he had to do it, having been ignored by Facebook's security team.
"We are unfortunately not able to pay you for this vulnerability because Terms of Service," another Facebook security engineer told him in a mail. "We do hope, however, that you continue to work with us to find vulnerabilities in the site." Facebook’s ‘bug bounty’ program normally awards at least $500 for a valid bug (and, this was most certainly valid).
So, Marc Maiffret, a security expert at a security firm called BeyondTrust, posted a project on crowdfunding site GoFundMe. “Khalil Shreateh found a vulnerability in Facebook.com and, due to miscommunication, was not awarded a bounty for his work,” said Maiffret. “Let us all send a message to security researchers across the world and say that we appreciate the efforts they make for the good of everyone.”
The goal for the project was $10,000, and as I wrote this, the site was still raising money. It was almost up to $13,000.
Facebook must be embarrassed. Indeed, its chief security officer Joe Sullivan posted that he understood Shraeteh’s frustration.
“(1) We will improve our email messaging to make sure we clearly articulate what we need to validate a bug, and (2) we will update our whitehat page with more information on the best ways to submit a bug report” he said.
Nevertheless, he pointed out that Shraeteh didn't follow standard procedures when reporting the bug. He argues that he could have sent more detailed technical information to the researchers in the first place.
What do you think? Should Shraeteh have demonstrated the bug on Zuckerberg’s own account? And should he be paid?
Danny Bradbury, MSN Tech & Gadgets