Mark Zuckerberg Timeline hacked by researcher after bug warning ignored

Got their attention

Facebook has blamed a misunderstanding for an embarrassing incident last week in which founder Mark Zuckerberg's Timeline was hacked to draw attention to a security flaw a researcher believed was being ignored by firm.

As QEDs go, what Palestinian researcher Khalil Shreateh did to try and earn a bug bounty under Facebook's Whitehat program counts as an unorthodox but effective way of grabbing the firm's attention by any means necessary. But should it have come to that?

Shreateh had discovered a bug that would allow anyone to post to a Wall even if not on an individual's friend list, demonstrating its effectiveness by posting to a the private Timeline of Sarah Goodin, someone connected to Mark Zuckerberg from his college days.

After reporting the issue for a second time and being told "sorry, this is not a bug," Shreateh decided to show off the flaw on the one Timeline that might grab some attention, that of Mark Zuckerberg.

"Dear Mark Zuckerberg, first sorry for breaking privacy and post to your wall, I has no other choice to make after all the reports I sent to Facebook team," he wrote in the note on the founder's Wall. "My name is KHALIL from Palestine."

The researcher then linked to his reports and the replies he had received from Facebook.

Not long after that Shreateh had his account temporarily disabled and received the following message: "Facebook disabled your account as a precaution. When we discovered your activity we did not fully know what was happening."

The message went on to say that his report of the flaw had not contained enough information and that because he had not used the correct reporting procedure he would not be paid under the Whitehat system."

"We do hope, however, that you continue to work with us to find vulnerabilities in the site."

Facebook's security team later defended its action on the Hacker News forum, stating that the researcher had only sent a link to the unauthorised posting on the Wall of Sarah Goodin.

While admitting the team should have clarified the issue more carefully, Facebook's representative went on to say that "many of our best reports come from people whose English isn't great - though this can be challenging, it's something we work with just fine and we have paid out over $1 million to hundreds of reporters."

Facebook currently received hundreds of reports every day and had fixed the flaw reported by Shreateh, the firm said. Its Terms of Service (ToS) clearly explained the reporting procedure in a number of languages, including Arabic.

The incident will nevertheless embarrass Facebook. A potentially significant security issue was ignored by someone attempting to report it in good faith. Critics might point out that the fact the firm clearly prefers to receive word of security issues in English is beside the point - what if a researcher doesn't speak English?

Some Hacker News argued that while Facebook's hardline stance on paying Shreateh was technically correct, it might still reinforce the view in some quarters that researchers could earn more by selling or 'Black Hatting' flaws to the highest bidder.

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal TechsecurityFacebook

More about Facebook

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts