Skip to main content

Facebook ignores security researcher's bug report, then disables account and denies minimum bug bounty fee

If at first you don't succeed, post a message on Mark Zuckerberg's wall. As in, Mark Zuckerberg's personal wall – aside from driving by Facebook headquarters with a loudspeaker in hand, we can think of few better ways to get the CEO's attention, especially if you aren't his Facebook friend to begin with.

Palestinian security researcher Khalil Shreateh uncovered a glitch in the Facebook matrix that would allegedly allow anyone to post to the Facebook Walls of any other user – a big no-no in Facebook land, for one's Wall is supposed to be reserved only for one's friends to post on, assuming normal security settings.

Shreateh twice sent reports of the bug to Facebook via the company's bug-disclosure and bounty programme. The first time, Facebook security representative "Emrakul" couldn't see the results of Shreateh's work – presumably because Emrakul wasn't actually friends with the person who Shreateh used as a proof-of-concept for the loophole. The second time around, Emrakul told Shreateh that his findings were "not a bug."

Shreateh, who doesn't appear too keen on taking "no" for an answer, did the next logical step: He used his loophole to post directly on Zuckerberg's Wall, likely hoping to stir the pot a bit and get stronger acknowledgement of his findings.

It worked. Facebook software engineer Ola Okelola contacted Shreateh soon after, and Shreateh found his Facebook account disabled shortly after that – while Facebook worked to close the exploit, presumably.

When Shreateth's account was turned back on after he submitted another bug report protesting why it was flipped off, a Facebook security engineer told him that the account disabling was a "precaution" and that Shreateth would not be receiving any kind of financial compensation for his bug find – normally a key portion of Facebook's "bug bounty" reporting programme.

Facebook software engineer Matt Jones took to Hacker News to offer a bit of an explanation behind Facebook's response and why Shreateh is out his minimum reward of $500 (£320) for the finding.

"To be clear, we fixed this bug on Thursday. The OP is correct that we should have asked for additional repro instructions after his initial report. Unfortunately, all he submitted was a link to the post he'd already made (on a real account whose consent he did not have - violating our ToS and responsible disclosure policy), saying that 'the bug allow facebook users to share links to other facebook users'," Jones wrote.

Shreateh, who ultimately made a video of the exploit in action, would have likely received a quicker (if not stronger) response from Facebook had he provided that as part of his bug reporting. However, the very act of using others' accounts to prove the bug's existence was enough to prevent him from earning the cash reward.