Researcher Hacks Mark Zuckerberg's Facebook Timeline to Report Bug
Aug. 19, 2013 — -- If you want to let Facebook know that there is a security bug that allows anyone to post on your Timeline, then demonstrating it on Mark Zuckerberg's Timeline seems like a surefire way to get the social network's attention.
That's exactly what Palestinian security researcher and hacker Khalil Shreateh did. Shreateh figured out that by entering in some website URLs, grabbing one's Facebook ID and doing some other non-obvious copying and pasting, he could post something on a non-friend's Facebook Timeline.
Shreateh first reported the bug to Facebook's White Hat Security team, which responded to his initial report by saying, "this is not a bug." That's when Shreateh decided to try it out on Facebook CEO Zuckerberg's Timeline.
"First sorry for breaking your privacy and post to your wall," Shreateh wrote on Zuckerberg's Timeline. "I has no other choice to make after all the reports I sent to Facebook team."
The Timeline is a collection of users' personal photos, stories and experiences.
Facebook patched the security hole Thursday and clarified that the original tip was not ignored, but that there simply wasn't enough information provided.
"We should have asked for additional repro [reproduction] instructions after his initial report," Facebook software engineer Matt Jones wrote on Hacker News, a forum for the security community. "Unfortunately, all he submitted was a link to the post he'd already made … Had he included the video initially, we would have caught this much more quickly."
Shreateh has since posted a YouTube video showing exactly how he was able to post something on a non-friend's Timeline.
Jones also suggested that Shreateh's English was hard to understand, but clarified that Facebook gets hundreds of reports and that some of the "best reports come from people whose English isn't great."
With its White Hat program, Facebook allows security researchers to report security vulnerabilities and receive a monetary reward for reporting certain security bugs. Shreateh, however, was not paid for finding this vulnerability because he violated the White Hat Terms of Service by demonstrating the exploit by using the accounts of real people without their permission.
On the other hand, can you really put a price on hacking into Mark Zuckerberg's Timeline?
