TribLIVE

| Business


 
Larger text Larger text Smaller text Smaller text | Order Photo Reprints

Facebook CEO's page hacked by web developer

On the Grid

From the shale fields to the cooling towers, Trib Total Media covers the energy industry in Western Pennsylvania and beyond. For the latest news and views on gas, coal, electricity and more, check out On the Grid today.

By The Washington Post
Monday, Aug. 19, 2013, 6:54 p.m.
 

An unemployed Palestinian developer named Khalil Shreateh tried several times to report a bug to Facebook's security team. When no one got back to him, he took the next step: He exploited the bug to leave a public comment on Facebook CEO Mark Zuckerberg's wall.

“First sorry for breaking your privacy and post to your wall,” an apparent screenshot of the hack reads. “I has (sic) no other choice to make after all the reports i sent to Facebook team.”

The break-in, detailed on Shre­ateh's blog (and in several agitated posts from Facebook developers on Hacker News), has been more than a little embarrassing for Facebook.

But it's not exactly newsworthy that Shreateh found a bug — that happens all the time. In fact, Facebook runs a program that encourages white hat hackers to find and report bugs in Facebook infrastructure in exchange for a cash reward. What is unusual is that Facebook didn't respond to Shreateh's initial reports about the bug, and that Shreateh then exploited it in violation of Facebook's policies for white hat hackers.

“Exploiting bugs to impact real users is not acceptable behavior for a white hat,” insisted Matt Jones, a Facebook software engineer, on the forum Hacker News.

So why didn't Facebook respond right away to Shreateh's reports? Judging by the email threads with Facebook's security team that Shreateh posted on his blog, it looks like his bug was lost — literally — in translation. Shreateh's English is a little shaky, and the Facebook developer he corresponded with doesn't seem to understand the report.

On Hacker News, Jones explains that they often get reports from “people whose English isn't great,” and that usually “it's something we work with just fine.” According to Facebook's own reports, the company relies heavily on international white hat hackers to keep its system secure — of the 329 legitimate bugs reported by white hats in the past two years, more than 260 came from outside the United States.

Facebook pays bounties for bug reporting, but Shreateh said he will not receive a bounty for his work — per an email from Facebook, he violated the terms of the program when he hacked Zuckerberg's account. That has enraged some in the security community, who argue Shreateh exposed an important vulnerability in good faith, using the only means available. The bug has since been fixed, according to Jones's Hacker News post.

 

 
 


Show commenting policy

Most-Read Business Headlines

  1. Consol Energy cutting retiree health benefits, phasing out pension
  2. Stocks slammed as manufacturing slows in U.S., abroad
  3. LNG exports get federal approval from Dominion’s Cove Point terminal
  4. EPA says greenhouse gas releases from wells, pipelines decline
  5. Google Pittsburgh instrumental in fight against hackers, co-directors say
  6. Hospitals, doctors in Pa. received $32M in 5 months from drug, medical device companies
  7. Retirement planning is about more than just money
  8. Study: Wellness programs don't save money, but employee health improves
  9. With acquisition, PNC set to enter IPO market
  10. Power companies not on board with plans for polar vortex
  11. Health care, consumer staples lead rebound in stocks
Subscribe today! Click here for our subscription offers.