He tried to warn them.
A Palestinian researcher posted a message on
Facebook CEO Mark Zuckerberg’s page last week
after he says the site’s security team didn’t take
his warnings about a security flaw seriously.
“First, sorry for breaking your privacy and post
(ing) to your wall,” wrote Khalil Shreateh. “I (have)
no other choice to make after all the reports I sent
to (the) Facebook team.”
Shreateh, who describes himself as an
unemployed security researcher with a degree in
information systems, said he found a hole in
Facebook’s systems that let him post to any user’s
page, including users not on his Friends list.
Such an exploit would be a virtual gold mine for
spammers, scam artists and others seeking to take
advantage of the site’s roughly 1 billion users
On his blog, Shreateh posted a series of e-mails he
said were exchanged between him and Facebook
security. After the first one, a Facebook employee
responded that the link he attached was bad.
Shreateh had included a post — an Enrique Iglesias
video — he says he posted on the page of a woman
who went to college with Zuckerberg. He
speculated that Facebook’s security team couldn’t
see it because they weren’t on her Friends list.
Somebody buy Mark Zuckerberg some clothes
Facebook responded to his second message to say
the issue he was reporting was not a bug.
His response: “ok that mean(s) I have no choice
other than report this to mark himself on
Needless to say, that got their attention.
Facebook says the flaw was fixed on Thursday. But
over the weekend the episode began making
headlines on tech blogs.
On the Hacker News website, Facebook security
team member Matt Jones wrote that the language
barrier with Shreateh, who is not a native English
speaker, and the volume of reports the site
receives were partly to blame for the site’s slow
“Unfortunately, all he submitted was a link to the
post he’d already made (on a real account whose
consent he did not have) … saying that ‘the bug
allow facebook users to share links to other
facebook users,’ ” Jones wrote.
“For background, as a few other commenters have
pointed out, we get hundreds of reports every day.
Many of our best reports come from people whose
English isn’t great — though this can be
challenging, it’s something we work with just fine
and we have paid out over $1 million to hundreds
Because he violated Facebook’s terms of service by
hacking the pages of other users, Shreateh is not
eligible to receive a reward under the site’s White
Hat program designed to find and fix bugs.
Shreateh, who says he has been looking for work
for two years, lives in the Palestinian city of Yatta,
in a region where the unemployment rate is
officially 22% and is higher among men in their
20s, like Shreateh.
“I could sell (information about the flaw) on the
black (hat) hackers’ websites and I could make
more money than Facebook could pay me,” he
said in an interview with CNN. “But for me — I am a
good guy. I don’t deal with the black (hat) stuff.”
In hacker circles, “white hat” is a term for people
who report exploits they find so they can be fixed,
while “black hat” often refers to people who hack
to take advantage of those exploits.
He said he’s proud that, as a Palestinian using a
five-year-old laptop with broken keys and a broken
battery, he had the skills to find a problem with
one of the world’s biggest websites. But he
acknowledged hoping his tip would lead to a
reward from Facebook.
“I never asked them, ‘I want $4,000 or $5,000’,”
he said. “I didn’t deal with them like that … . (But)
I really needed that money.”
Jones acknowledged that the security team should
have asked Shreateh for more information.
“I have to admit that I have some sympathy with
Facebook on this issue,” security analyst Graham
Cluley wrote on his blog. “Although he was
frustrated by the response from Facebook’s
security team, Shreateh did the wrong thing by
using the flaw to post a message on Mark
He would have been better served returning to
Facebook’s security team with more evidence and
further explaining it or, if that didn’t work, taking
the information to a technology journalist to
report, Cluley said.