Facebook Hacker Breaks Into Zuckerberg's Timeline to Report Bug

If you're a hacker and you find a bug in Facebook, you have the chance to submit it through the company's white hat disclosure program and get a reward.
But what if you've found a bug, and Facebook ignores you?
A Palestinian hacker took the inadvisable step of posting on Facebook founder Mark Zuckerberg's Timeline, taking advantage of the very bug he was trying to report.

 

Khalil Shreateh, a Palestinian developer and hacker, discovered that there was a way to bypass Facebook's privacy settings and post on anyone's timeline — even users who are not your friends.
He first reported the vulnerability via email to the bug bounty program. But the social network failed to recognize the vulnerability in his report, according to Shreateh's blog post.
Before reporting the bug, Shreateh successfully tested it by posting on the wall of Sarah Goodin, Zuckerberg's former college classmate. He included a link to this post in the email, but the Facebook security employee who received the email — identified only as Emrakul — couldn't see the post, since he wasn't friends with Goodin.
That's what Shreateh tried to explain in a follow up to Emrakul, warning that he could very well post to Zuckerberg's wall if he wanted. He added that he wouldn't "cause I do respect people privacy," he allegedly wrote. His second email, however, was ignored.
Shreateh then sent another official report, explaining the bug again. This time, Emrakul allegedly answered: "I am sorry this is not a bug." To which Shreateh answered: "ok, that mean [sic] I have no choice other than report this to Mark himself on Facebook."
And so he did.

  

The exploit got the attention of Ola Okelola, another Facebook security engineer. Okelola commented on the post, asking for more information on the bug. After a brief discussion, Shreateh's Facebook account got suspended "as a precaution," as another Facebook security engineer named Joshua explained to Shreateh by email.
"Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it," Joshua wrote. "We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue." He added that Facebook would "unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service."
By posting on Zuckerberg's wall, Shreateh also violated Facebook's responsible disclosure policy — which prohibits people who discover bugs to take advantage of them and demonstrate the bugs on people's accounts without their permission.
"The more important issue here is with how the bug was demonstrated using the accounts of real people without their permission," explained Facebook's Matt Jones on the site Hacker News. Facebook has confirmed to Mashable that Jones is indeed an employee.
"Exploiting bugs to impact real users is not acceptable behavior for a white hat. We allow researchers to create test accounts here to help facilitate responsible research and testing. In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent," Jones added.
Facebook declined to comment further. Besides, the bug was fixed on Thursday, according to Jones.
Shreateh won't be rewarded for his finding, because he violated the disclosure policy.

Facebook launches free voice calls in UK via mobile app

Facebook has launched free voice calling as part of its iOS Messenger app in the UK.

The service debuted in North America in January this year but has now been added to the UK versions of Facebook Messenger on the iPhone, iPad and iPod touch.

To use the service, navigate to the required contact and select the "i" icon in the top right hand corner and then click on the Free Call option. If the person is unavailable or not using the service the option is greyed out. The system supports international calling, meaning a UK user can now freely chat to a US-based friend.

"When you call, your friend will get a notification and hear a ringtone if they have their phone's volume on," said a Facebook representative. "They can swipe through the notification or open Messenger to answer your call. If they miss the call, they will see a note when they return to the conversation indicating that you tried to reach them."

Free Call is a VoIP service, similar to Skype, meaning that the app uses your device's internet connection to route the call rather than a traditional telephone network. The service is reportedly only available on iOS devices. There is no official information regarding the rollout of an Android version at the current time.

Palestinian Finds Facebook Bug, Hacks CEO Zuckerberg’s Page

When Facebook ignored Khalil Shreateh's first two reports, he took his message to the top - and hacked into CEO Mark Zuckerberg's personal page to prove his point.



YATTA, West Bank (AP) — After discovering a privacy bug on Facebook, unemployed Palestinian programmer Khalil Shreateh said he just wanted to collect the traditional $500 bounty the social network giant offers to those who voluntarily expose its glitches.
But when Facebook ignored his first two reports, Shreateh took his message to the top – and hacked into CEO Mark Zuckerberg’s personal page to prove his point.
“Sorry for breaking your privacy,” he wrote the Facebook founder, “I has no other choice to make after all the reports I sent to Facebook team … as you can see iam not in your friend list and yet i can post to your timeline.”
The stunt cost the 30-year-old Palestinian the bounty, but earned him praise – and numerous job offers – for being able to get to the boss of the world’s most ubiquitous social network.
Shreateh, who lives near the West Bank city of Hebron and has been unable to find a job since graduating two years ago with a degree in information technology, told Facebook that he found a way that allowed anyone to post on anyone else’s wall. “I told them that you have a vulnerability and you need to close it,” he told The Associated Press. “I wasn’t looking to be famous. I just wanted to make a point to Mark (Zuckerberg).”
In a message posted to the Hacker News, a user-driven security news site, Facebook software engineer Matthew Jones said the initial report was poorly worded, although he acknowledged that the company should have pressed for more information.
“As a few other commenters have pointed out, we get hundreds of reports every day,” Jones wrote. “Many of our best reports come from people whose English isn’t great – though this can be challenging, it’s something we work with just fine and we have paid out over $1 million to hundreds of reporters. However, many of the reports we get are nonsense or misguided, and even those … provide some modicum of reproduction instructions.”
Nevertheless, he said, “we should have pushed back asking for more details here.”
He went on to say that Shreateh would not be paid from Facebook’s bounty program because he’d violated the company’s terms of service – namely by posting items to the Facebook pages of users he should not have had access to.
“The more important issue here is with how the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behavior for a white hat,” he said, using an industry term for ethical security experts.
Jones added that the bug was fixed Thursday. Facebook declined to comment beyond the post.
The bug – and Facebook’s response to it – has become a talking point in information security circles, with many speculating that the Palestinian could have helped himself to thousands of dollars had he chosen to sell the information on the black market.
Shreateh said he was initially disappointed by the Facebook response but that after being inundated by job offers from all over the world he is pleased with how things worked out.
“I am looking for a good job to start a normal life like everybody,” he said. “I am so proud to be the Palestinian who discovered that exploit in Facebook.”

Facebook founder Zuckerberg hacked to highlight bug

A screenshot of the message left on Mark Zuckerberg's wall

A Palestinian programmer has highlighted a flaw in Facebook's security system by posting a message on Mark Zuckerberg's private page.

Khalil Shreateh used a vulnerability he discovered to hack the account of the Facebook founder and raise the alarm.

Mr Shreateh said he had tried to use Facebook's White Hat scheme, which offers a monetary reward for reporting vulnerabilities, but had been ignored.

Facebook said it had fixed the fault but would not be paying Mr Shreateh.

Mr Shreateh found a security breach that allowed Facebook users to post messages on the private "walls" of people who had not approved them as "friends", overriding the site's privacy features.
'Not a bug'
He wrote to Facebook's White Hat team to warn them of the glitch, providing basic details of his discovery.

After a short exchange with the team, Mr Shreateh received an email saying: "I am sorry this is not a bug".

Following this rebuttal, Mr Shreateh exploited the bug to post a message on Mr Zuckerberg's page.

In the post, Mr Shreateh, whose first language is Arabic, said he was "sorry for breaking your privacy and post to your wall" but that he had "no other choice" after being ignored by Facebook's security team.

An engineer on Facebook's security team, Matt Jones, posted a public explanation saying that although Mr Shreateh's original email should have been followed up, the way he had reported the bug had violated the site's "responsible disclosure policy".

He added that as Mr Shreateh had highlighted the bug "using the accounts of real people without their permission", he would not qualify for a payout