Mark Zuckerberg's Facebook page hacked by peeved security researcher

Mark ZuckerbergNormally you can only post on someone else's Facebook wall if you are "friends". That's the way that Facebook designed it.

But Palestinian researcher Khalil Shreateh found a security vulnerability on the social network that meant he could post messages and photographs to *any* of Facebook's 1,000,000,000+ users' walls - something which in the wrong hands could be a very effective way of spreading malware, scams or spammy links.

But when Shreateh felt Facebook's Security team weren't taking him seriously, he "escalated" the problem in the most dramatic way possible. He posted a message on Facebook CEO Mark Zuckerberg's own page.

Mark Zuckerberg Facebook page hacked

Dear Mark Zuckerberg,

First sorry for breaking your privacy and post to your wall, i has no other choice to make after all the reports i sent to Facebook team.

My name is KHALIL, from Palestine.

couple days ago i discovered a serious Facebook exploit that allow users to post to other Facebook users timeline while they are not in friend list.

i report that exploit twice, first time i got a replay that my link has an error while opening, other replay i got was "sorry this is not a bug". both reports i sent from www.facebook.com/whitehat, and as you see iam not in your friend list and yet i can post to your timeline.

You can imagine how quickly that got Facebook's attention. Sure enough, the post was removed and Shreateh's account was suspended while the social network investigated the flaw.

Shreateh also made a YouTube video, demonstrating how he was able to use the exploit he discovered post on strangers' Facebook walls.

I have to admit that I have some sympathy with Facebook on this issue. Although he was frustrated by the response from Facebook's security team, Shreateh did the wrong thing by using the flaw to post a message on Mark Zuckerberg's wall.

Instead, he might have been wiser to go back (again) to Facebook's Security team with more evidence of the flaw, explaining the problem more clearly and perhaps including more information as to its impact. If he was still not happy with their response, a technology journalist should perhaps have been his next port of call.

Because of what Facebook considers Shreateh's irresponsible behaviour, the social network has said he does not qualify for a bug bounty reward.

If you are on Facebook, and want to be kept updated with news about security and privacy risks, and tips on how to protect yourself online, join the Graham Cluley Security News Facebook page.

Further reading: Facebook admits mistakes, but still won’t pay out to researcher who hacked Zuckerberg’s page

Tags: , , ,


, , ,

Leave a Reply

25 Comments on "Mark Zuckerberg's Facebook page hacked by peeved security researcher"

avatar

Sort by:   newest | oldest | most voted
Jeremy M
Guest
Jeremy M
August 19, 2013 12:53 pm

I have to disagree with you Graham. If Facebook claimed that the technical details of the flaw were amiss they should have taken the extra time to respond to him fast and promptly. It's great that Facebook gets more negative media attention in regards to privacy, they may actually wake up.

Rikki
Guest
Rikki
August 19, 2013 3:22 pm

I agree with Jeremy. Getting through the red tape of not caring at most big online companies is almost impossible at times, a company I work for has been trying for MONTHS to get assistance from Facebook and they PAY for advertising all the time. A public slap in the face is sometimes the best way to get the big wheels turning in the right direction.

Watching
Guest
Watching
August 19, 2013 3:35 pm

I'm another who agrees with Jeremy. The man did not post anything "irresponsible," though he could have. He proved his case, period, something "the team," should have welcomed. They also could have avoided it, but pride and arrogance are never very attractive, and refusing to honor their contract with the world is one more evidence of those traits.

Richard
Guest
Richard
August 19, 2013 4:19 pm

The nationality of Shreateh was the real issue.

Facebook owes Shreateh big time. He could have used the flaw without saying a word.

Steve Fournier
Guest
Steve Fournier
August 19, 2013 6:31 pm

I definitely disagree with you, in fact I would have done much worse and to add insult to injury the FB team in disgrace suspended his account. Silly tactics for monkey actions. They got caught with their pants down and they showed bullying tactics.

TJ
Guest
TJ
August 19, 2013 6:46 pm

Who cares. No harm, no foul. Obviously Shreateh could have done much more damage, but he responsibly didn’t….As long as facebook resolves the flaw….that’s all that matters…

Mark
Guest
Mark
August 19, 2013 8:52 pm

"But I don't agree that that excuses what Shreateh did next. I think it would have been better if he had tried again with Facebook Security or, failing that, found a responsible journalist to demonstrate the flaw to who could have embarrassed Facebook into action."

Maybe, but figuring out how to push the right combination of bureaucratic and/or political buttons can be a huge challenge for anyone, much less a person in his position.

Zuckerberg Ahole
Guest
Zuckerberg Ahole
August 19, 2013 9:19 pm

Cluley is clueless and a Facebook shill at that.

GJA
Guest
GJA
August 20, 2013 5:05 pm

Graham,
You are dead wrong and need to just own that, in this instance.
Stop being a pedantic head-of-knuckle. You know that progress in the security sector does not work the way you are suggesting (just keep knocking politely on door until answered….tripe).
He tried to get a receptive ear, what he got instead was bureaucracy and red-tape.
From an organization that is supposed to be forward thinking and responsive to input.
I have some years on you in forensics and security, and even I would be frustrated by such an 'ivory tower' mentality as FBs security displayed in this matter.
You come off sounding somewhat as a shill for FB because you are defending their indefensible stance and choice. So people are calling you on it. As am I.
MZ needs to instruct FB workers in the security team to:
1. Pay this young man what is owed, rightfully.
2. Thank this young man for his efforts.
3. Have the security team trained in proper process and protocol in accepting candidate flaws for analysis and reporting.

Andy
Guest
Andy
August 20, 2013 7:58 pm

Shame on Facebook. They should thank this man for being honest. Mr Zuckerberg should thank him in person and offer him a Job. Graham you are dead wrong.

heidi
Guest
heidi
August 21, 2013 12:23 am

Totally disagree with you. You are an example of bullcrap red tape. This guy went straight to the source when needing escalation. Good for him. Time saved for many people and for good service. Disgusted that facebook didn't pay him and used the terms of service as a reason. Shows they're now a typical corporation. If they suspended his account too then that's sad. This is how you turn good intentions into bad ones. The guy could've easily done harm with this knowledge but chose not to. Shame on facebook. And graham this is the first and last time I read your info. Saw you quoted on CNN so checked it out and I am astonished at your proposed handling of this. What crap advice.

rm
Guest
rm
August 21, 2013 6:46 am

Seriously???? HAHa come on now.

….a technology journalist should perhaps have been his next port of call.

Kyle
Guest
Kyle
August 22, 2013 7:03 pm

Why should he have called a security journalist? Who's to say that he would even receive credit for what he found?

wpDiscuz