What should one do when he discovers a vulnerability on Facebook, submits it to Facebook’s White hat page for a $500 reward, only to get ignored? Post it directly on Mark Zuckerberg’s wall. Over the weekend, Khalil, a Palestinian white hat hacker discovered a vulnerability on Facebook and submitted the big report to Facebook. The bug allowed him to post onto anyone’s wall, but after a couple of email exchange with a representative from Facebook, the final answer was “I am sorry this is not a bug”.
Frustrated, Khalil then decided to use the very same vulnerability and hack into Mark Zuckerberg’s wall, submitting the bug report. Of course, the security team responded swiftly, deactivated his account and fixed the problem.
“First sorry for breaking your privacy and post to your wall, i has no other choice to make after all the reports i sent to Facebook team. My name is KHALIL from Palestine…” followed by details and links to the bug.
Unfortunately though, because Khalil’s action violates the terms of service for a white hat report, he was not eligible for the cash reward. According to a Facebook engineer, “exploiting bugs to impact real users is not acceptable behavior for a white hat. In this case, the researcher used the bug he discovered to post on the timeline of multiple users without their consent”.