An unemployed Palestinian developer named Khalil Shreateh tried several times to report a bug to Facebook’s security team. When no one got back to him, he took the (dubiously) logical next step: exploited the bug to leave a public comment on Facebook CEO Mark Zuckerberg’s wall.
“First sorry for breaking your privacy and post to your wall,” an apparent screenshot of the hack reads. “I has [sic] no other choice to make after all the reports I sent to Facebook team.”
But it’s not exactly newsworthy that Shreateh found a bug. In fact, Facebook runs a program that encourages white-hat hackers to find and report bugs in Facebook infrastructure in exchange for a cash reward. What is unusual is that Facebook didn’t respond to Shreateh’s initial reports about the bug, and that Shreateh then exploited it in violation of Facebook’s policies for white-hat hackers.
“The more important issue here is with how the bug was demonstrated using the accounts of real people without their permission,” Matt Jones, a Facebook software engineer said. So why didn’t Facebook respond right away to Shreateh’s reports? It seems his bug was lost – literally – in translation. Shreateh’s English is a little shaky, and the Facebook developer he corresponded with doesn’t seem to understand the report:
“Rhe vulnerability allow’s facebook users to share posts to non friends facebook users , i made a post to sarah.goodin timeline and I got success post… of course you may cant see the link because sarah’s timeline friends posts shares only with her friends, you need to be a friend of her to see that post or you can use your own authority.”
“I am sorry this is not a bug,” a Facebook employee reportedly fired back.