Normally you can only post on someone else’s Facebook wall if you are “friends”. That’s the way that Facebook designed it.
But Palestinian researcher Khalil Shreateh found a security vulnerability on the social network that meant he could post messages and photographs to *any* of Facebook’s 1,000,000,000+ users’ walls – something which in the wrong hands could be a very effective way of spreading malware, scams or spammy links.
But when Shreateh felt Facebook’s Security team weren’t taking him seriously, he “escalated” the problem in the most dramatic way possible. He posted a message on Facebook CEO Mark Zuckerberg’s own page.
Dear Mark Zuckerberg,
First sorry for breaking your privacy and post to your wall, i has no other choice to make after all the reports i sent to Facebook team.
My name is KHALIL, from Palestine.
couple days ago i discovered a serious Facebook exploit that allow users to post to other Facebook users timeline while they are not in friend list.
i report that exploit twice, first time i got a replay that my link has an error while opening, other replay i got was “sorry this is not a bug”. both reports i sent from www.facebook.com/whitehat, and as you see iam not in your friend list and yet i can post to your timeline.
You can imagine how quickly that got Facebook’s attention. Sure enough, the post was removed and Shreateh’s account was suspended while the social network investigated the flaw.
Shreateh also made a YouTube video, demonstrating how he was able to use the exploit he discovered post on strangers’ Facebook walls.
I have to admit that I have some sympathy with Facebook on this issue. Although he was frustrated by the response from Facebook’s security team, Shreateh did the wrong thing by using the flaw to post a message on Mark Zuckerberg’s wall.
Instead, he might have been wiser to go back (again) to Facebook’s Security team with more evidence of the flaw, explaining the problem more clearly and perhaps including more information as to its impact. If he was still not happy with their response, a technology journalist should perhaps have been his next port of call.
Because of what Facebook considers Shreateh’s irresponsible behaviour, the social network has said he does not qualify for a bug bounty reward.
If you are on Facebook, and want to be kept updated with news about security and privacy risks, and tips on how to protect yourself online, join the Graham Cluley Security News Facebook page.