No, posting a link on the CEO’s friends-only wall won’t get you any rewards from Facebook — but sometimes, the internet will come to the rescue. At least, that seems to be true in the case of Khalil Shreateh, who stands to gain more than US$10 000 after donors rallied to give him a reward for his efforts identifying a Facebook bug.
Shreateh, an unemployed Palestinian security researcher, made headlines recently when he exploited a flaw which allowed users to post to another’s wall, even if that user had privacy settings in place which restricted that ability to their friends. He tried to officially explain the problem to the Facebook team, but after they couldn’t see the test post he used as evidence (a post on the wall of Zuckerberg’s former classmate Sarah Goodin), he decided to prove he had found a bug in a different way: by posting to Zuckerberg’s wall.
Even though Facebook then quickly reacted and fixed the problem, it said it wouldn’t be paying Shreateh its usual white hat bounty (the reward it gives hackers for reporting flaws) because he contravened its terms of service by posting to another user’s wall without consent.
In a bit to reward the hacker for his work, US-based security expert Marc Maiffret decided to start a crowdfunding campaign on Go Fund Me to send “a message to security researchers across the world and say that we appreciate the efforts they make for the good of everyone”. The fund passed its US$10 000 goal in a day — so far, it’s raised US$10 730 dollars, which Maiffret says he’s currently in the process of transferring to Shreateh.
While Facebook receives hundreds of messages daily through its official white hat reporting channel and has clear instructions about how vulnerabilities should be reported, it has been called out for not investigating Shreateh’s claims thoroughly. For its part, the Facebook team has admitted that it should have replied differently to Shreateh’s initial emails by asking for more information about the bug, and that the language differences may have played a role in their response to his report.