If your Facebook profile isn’t public, others aren’t supposed to be able to post content on your wall. Khalil Shreateh, a self-confessed IT expert from Palestine, claims to have discovered a vulnerability that lets anyone post a link to other users Facebook walls. Shreateh says he reported the bug to Facebook recently, but instead of taking him seriously he claims the company ignored the problem and decided it wasn’t a bug.


In a lengthy blog post outlining the timeline of events, Shreateh says he tested the vulnerability on Sarah Goodin — a friend of Facebook CEO Mark Zuckerberg, and the first woman to sign up to the service — before reporting it through Facebook’s whitehat disclosure service for security researchers. The whitehat service rewards researchers with at least $500 for successful bugs. In a copy of an email sent to Facebook, Shreateh explains the details and notes that the security team might not be able to see his test post as Goodin restricts posts to only her friends. Despite attaching a screenshot of the post, a Facebook security engineer, identified only as Emrakul, replied saying “I am sorry this is not a bug,” without asking for additional information.

Unperturbed by the response, Shreateh decided to notify Mark Zuckerberg himself by posting to his timeline. Minutes later, Facebook security engineer Ola Okelola contacted Shreateh requesting details on the exploit. Facebook disabled his account, presumably fearing a wider security breach. Shreateh’s account has now been re-enabled, but the company claims his original report “did not have enough technical information” for them to take action. In an email to Shreateh, a Facebook security engineer — identified as Joshua — claims the company is “not able to pay you for this vulnerability because your actions violated our Terms of Service.”

Although details of the exact exploit do not appear to have been made available publicly, if Shreateh had gone public and not alerted the company using its recommended disclosure policy then it’s likely this type of exploit would have been used to spam Facebook users with malicious links. The Verge has reached out to Facebook to verify the details of the bug and why Shreateh’s reports weren’t taken seriously, and we’ll update you accordingly.



The Verge