Embarrassment for Facebook as Zuckerberg's profile hacked
Web developer hacked CEO's profile page after security team ignored his warnings about glitch
A PALESTINIAN web developer has hacked into Mark Zuckerberg's Facebook profile page after the social network ignored his warnings about a glitch on the site.
Khalil Shreateh twice tried to report a vulnerability that enabled anyone to post on a stranger's wall. However, Facebook's security team dismissed his reports.
Frustrated, Shreateh decided to use the glitch to hack into the profile page of Facebook's co-founder and CEO, reports the Daily Telegraph.
In the post, which has since been removed, he apologised for breaking Zuckerberg's privacy. Shreateh, whose first language is Arabic, added: "I had no other choice... after all the reports I sent to Facebook team."
Within minutes, Shreateh's Facebook account was suspended and a Facebook security engineer contacted him to request the details of the exploit.
On Hacker News, a Facebook security engineer confirmed that the bug has now been fixed. He said Shreateh's initial report did not offer enough information for the team to act on, but conceded that they should have asked for more details.
The social network has a policy of paying $500 to anyone who can find a security flaw on the site. However, it has refused to pay Shreatah because it says he violated Facebook's Terms of Service by using the accounts of real people, without their permission, to demonstrate the glitch.
"Exploiting bugs to impact real users is not acceptable behaviour for a white hat," said the engineer – referring to the name given to an ethical computer hacker intending to improve security.
Several commenters on Hacker News have argued that Facebook's refusal to pay Shreateh might give rise to the belief that researchers could earn more money by selling information about glitches to the highest bidder in the ‘black hat' market.
The incident will embarrass Facebook, says John E Dunn, co-founder of technology news site Techworld. A potentially significant security issue, raised by someone "attempting to report it in good faith", was simply ignored. ·