To Repurpose an Old Verizon Commercial — “Mark, Can You Pay Me Now!” Facebook’s Zuckerberg Has Private Timeline Hacked.
Facebook’s White Hat security team pays anybody who finds a security flaw a minimum of $500 — anybody that is with the exception of hacker Khalil Shreateh.
Shreateh contacted Facebook’s security team twice to tell them about a bug that allowed him to post to a user’s timeline even if though he weren’t an accepted friend.
According to an article by Michael Blaustein in the New York Post, “In theory, Shreateh should have been blocked from posting through one of Facebook’s highly touted new security features that gives users the ability to filter who can post messages on their timelines. (Though) Shreateh found a way around Facebook’s defenses …the company’s security team said that his method was ‘not a bug’ according to the hacker’s blog post, as reported by tech blog Gizmodo.”
Bugged that Facebook did not deem his bug a bug, Shreateh posted a message (in broken English) to Facebook founder Mark Zuckerberg’s on Zuckerberg’s private timeline, “Dear Mark Zuckerberg…First sorry for breaking your privacy and post to your wall, I has no other choice to make after all the reports i sent to Facebook team. i appreciate your time reading this and getting some one from your company team to contact me.”
Instead of receiving a payment of $500 from the $40 billion company (give or take a few billion either way), Shreateh’s Facebook page was shut down “as a precaution” and he was told messages did not contain enough technical information to prove that he hacked the site. And, in a classic “Mrs. Lincoln, the Ford Theater’s management hopes you enjoyed the play and that you’ll come back often” comment, Facebook added, “We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site.”
This elicited the following response from Shreateh in his blog, “bulls—t.” And, he created a YouTube video to prove his hack had worked.
ThreatMetrix is the fastest-growing provider of integrated web fraud and cybersecurity solutions. The TrustDefender™ Cybercrime Protection Platform helps companies prevent unauthorized access to web and mobile applications, protect sensitive data, and secure transactions against account takeover, payment fraud, identity spoofing, malware, and data breaches. ThreatMetrix protects more than 1,900 customers and 9,000 websites across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.
To join in the cybersecurity conversation, follow us on Twitter @ThreatMetrix.