This is one way to get attention. Khalil, a Palestinian white hat hacker, submitted bug reports to Facebook about a vulnerability that allowed him to post on anyone’s wall. But Facebook’s security team didn’t do anything. So what did he do next? You hack the founder of Facebook Mark Zuckerberg’s wall.
Khalil explains on his blog that he submitted a full description of the bug, plus follow-up proof of its existence to the Facebook security feedback page, where researchers can win rewards of at least $500 for finding significant vulnerabilities. Then he submitted again. The second time he got an e-mail back that said, “I am sorry this is not a bug.”
Here’s the full message he posted:
Facebook says that he cannot claim a reward for the find because in hacking Zuckerberg’s wall he violated Facebook’s terms of service. Exploiting bugs to impact real users is not acceptable behavior for a white hat. In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent.” Facebook admits, though, that its team should have been more diligent in following up on Khalil’s submission.