You knew that Mark Zuckerberg probably had more than a few social problems after he got sued by his Harvard acquaintances Cameron Winklevoss, Tyler Winklevoss and Divya Narendra. Then there was Eduardo Saverin who supposedly was a friend who sued but settled out of court. If the Zuck won't listen to his friends from those days, what makes you think he'd listen to some unknown guy from Palestine?
Of course, the Zuck himself wasn't directly given the intel but he set up the Facebook culture and it doesn't seem too friendly if you're out to cheat friends. So when a Palestinian IT expert attempted to get Facebook's attention by doing it through appropriate channels--the FB "white hat" security disclosure service, it's not surprising that he got the IT equivalent to a cold shoulder.--not once but twice. The man even demonstrated the bug he found for an FB security engineer by using the security problem to post an Enrique Iglesias video on the FB page of Sarah Goodin, a friend of Zuckerberg. The IT expert was told, "Sorry this is not a bug." Only Goodin's friends could see the post so it wasn't considered a problem. Then the bug bit Zuckerberg.
Khalil Shreateh went on to prove it was indeed a bug by putting a blog post on Mark Zuckerberg's FB page. I think the Zuck must have paid attention because it only took minutes for Shreateh to be contacted by FB security and have his own FB account shutdown as a precaution. The Zuck obviously wasn't too concerned about Sarah Goodin, proving that friends and frenemies are not a high concern for the social networking pioneer. The bug was reportedly fixed on Thursday (August 15, 2013).
What's more, the minimum reward of $500 that the white hat system will supposedly reward people for reporting bugs won't be applied to this case because if Shreateh had been a real white hat in the tradition of, one supposes, the TV series version of the Long Ranger, he wouldn't have hacked into an account. That was a violation of the site's terms of service.
Instead, Shreateh was told, "We do hope, however, that you continue to work with us to find vulnerabilities in the site." Uh...don't you think some engineer could have contacted Shreateh and asked for more info and perhaps precautioned him against hacking? Apparently no such warning came after the Sarah Goodwin incident.
What was Shreateh to do? Wait until someone, say at the FB security team, stole his idea and put it forth as his/her own discovery and gained whatever kind of award? Stealing ideas would be so much like, well like Zuckerberg himself.
You'd think that Facebook could afford at least $500 since the engineers involved couldn't afford to take the time to explore the details of the original claim and apparently couldn't figure out the difference between a bug and an account hijacking. In this case, those were actually the same thing but not something that the FB corporate culture would consider a problem for the every day, no-name user/customer.
This isn't the first time that FB has ignored reports according to comments left for Shreateh as reported on his blog about the event. Waqas Jamal reported "I face similar situation 2.5 year back when I reported 2 vulnerabilities in messages and group posting. Fb even didn't replied for more than 2 weeks. P.S I have given complete PoC with proper external demo link. But all went in vain. I at that time just wanted my name in White List on Fb page." Waqas Jamal is apparently from Pakistan. (The slideshow software will not allow me at this time to re-order the snapshots.)
Shreateh has taken the time to post about this incident in English and Arabic. Perhaps the Zuck wouldn't look like such a cluck if FB had polylingual security people. Shreateh lists himself as being unemployed, surely, FB could use some help, give some stock or a measly $500 to the man.
Do you think Facebook should give Shreateh the money?
When you're using Facebook, just remember when Stephen Colbert awarded Zuckerberg the Medal of Fear, it was "because he values his privacy much more than he values yours."