Mon, 29 Nov 2021 Today's Paper

Zuckerberg's Facebook hacked

20 August 2013 05:14 am - 11     - {{hitsCtrl.values.hits}}


A Palestinian researcher posted a message on Facebook CEO Mark Zuckerberg's page last week after he says the site's security team didn't take his warnings about a security flaw seriously.

"First, sorry for breaking your privacy and post(ing) to your wall," wrote Khalil Shreateh. "I (have) no other choice to make after all the reports I sent to (the) Facebook team."

Shreateh, who describes himself as an unemployed security researcher with a degree in information systems, said he found a hole in Facebook's systems that let him post to any user's page, including users not on his Friends list.

Such an exploit would be a virtual gold mine for spammers, scam artists and others seeking to take advantage of the site's roughly 1 billion users worldwide.

On his blog, Shreateh posted a series of e-mails he said were exchanged between him and Facebook security. After the first one, a Facebook employee responded that the link he attached was bad.

Shreateh had included a post -- an Enrique Iglesias video -- he says he posted on the page of a woman who went to college with Zuckerberg. He speculated that Facebook's security team couldn't see it because they weren't on her Friends list.
Facebook responded to his second message to say the issue he was reporting was not a bug.

His response: "ok that mean(s) I have no choice other than report this to mark himself on facebook."

Needless to say, that got their attention.

Facebook says the flaw was fixed on Thursday. But over the weekend the episode began making headlines on tech blogs.

On the Hacker News website, Facebook security team member Matt Jones wrote that the language barrier with Shreateh, who is not a native English speaker, and the volume of reports the site receives were partly to blame for the site's slow response.

"Unfortunately, all he submitted was a link to the post he'd already made (on a real account whose consent he did not have) ... saying that 'the bug allow facebook users to share links to other facebook users,' " Jones wrote.

"For background, as a few other commenters have pointed out, we get hundreds of reports every day. Many of our best reports come from people whose English isn't great -- though this can be challenging, it's something we work with just fine and we have paid out over $1 million to hundreds of reporters."

Because he violated Facebook's terms of service by hacking the pages of other users, Shreateh is not eligible to receive a reward under the site's White Hat program designed to find and fix bugs.

Shreateh, who says he has been looking for work for two years, lives in the Palestinian city of Yatta, in a region where the unemployment rate is officially 22% and is higher among men in their 20s, like Shreateh.

"I could sell (information about the flaw) on the black (hat) hackers' websites and I could make more money than Facebook could pay me," he said in an interview with CNN. "But for me -- I am a good guy. I don't deal with the black (hat) stuff."

In hacker circles, "white hat" is a term for people who report exploits they find so they can be fixed, while "black hat" often refers to people who hack to take advantage of those exploits.

He said he's proud that, as a Palestinian using a five-year-old laptop with broken keys and a broken battery, he had the skills to find a problem with one of the world's biggest websites. But he acknowledged hoping his tip would lead to a reward from Facebook.

"I never asked them, 'I want $4,000 or $5,000'," he said. "I didn't deal with them like that ... . (But) I really needed that money."

Jones acknowledged that the security team should have asked Shreateh for more information.

"I have to admit that I have some sympathy with Facebook on this issue," security analyst Graham Cluley wrote on his blog. "Although he was frustrated by the response from Facebook's security team, Shreateh did the wrong thing by using the flaw to post a message on Mark Zuckerberg's wall."

He would have been better served returning to Facebook's security team with more evidence and further explaining it or, if that didn't work, taking the information to a technology journalist to report, Cluley said.(CNN)

  Comments - 11

  • Karu Tuesday, 20 August 2013 05:55 AM

    publicity..............nothing else

    C.J Tuesday, 20 August 2013 12:00 AM

    This major hack proves that fb's security is week via DM Android App

    lk Tuesday, 20 August 2013 06:32 AM

    karu is our guy who can hack into high security sites while enjoying his hot tea and vadai. he just don't publicise his brave efforts

    siyalla dath Tuesday, 20 August 2013 12:00 AM

    well done. good job keep it up via DM Android App

    Munasiri Tuesday, 20 August 2013 06:48 AM

    Do you know at least how to kill a bed bug?

    Muslim Tuesday, 20 August 2013 07:26 AM

    We are smart...don't make us use all our brains..BBS

    raspi Tuesday, 20 August 2013 07:56 AM

    @karu this is one way of showing how capable you are.facebook should hire him if his claim is legitimate. this sort of stunts a pulled by hackers to get jobs. unorthodox but still effective.

    Abdul Tuesday, 20 August 2013 08:06 AM

    facebook kills privacy! facebook made people share their private life online. we have to put our private life online to communicate with people online.

    Ahmed. Tuesday, 20 August 2013 12:00 AM

    Very misleading title, it was not hacked. He posted from his profile to Mark's profile to prove that he exploited a bug. Please do a little research before you guys publish something. via DM Android App

    zaha Tuesday, 20 August 2013 12:00 AM

    wat the hell via DM Android App

    raspi Tuesday, 20 August 2013 05:33 AM

    LOL good way to find a job :D

Add comment

Comments will be edited (grammar, spelling and slang) and authorized at the discretion of Daily Mirror online. The website also has the right not to publish selected comments.

Reply To:

Name - Reply Comment

Focus on Laggala Gem mining big shots bigger than the law

The truth is now being uncovered regarding an illegal mining racket in state

How and why the TNA was formed twenty years ago

The Tamil National Alliance (TNA) is now twenty years of age. The premier pol

India lays emphasis on culture diplomacy with Sri Lanka

Indian Prime Minister Narendra Modi wanted to inaugurate the Kushinagar Inter

Bittersweet memories of a ‘City that never slept’

At the heart of Eastern Province lies a now abandoned ghost town punctuated w