Heres one worth thinking about
Earlier this week, security researcher Khalil Shreateh discovered a Facebook bug that allowed a hacker to post on anyone’s wall — even if they weren’t that person’s friend.
While he was able to prove to Facebook that his bug was legit (despite an initial response that it wasn’t a bug at all), Facebook wasn’t too happy with the way he did it: by using the bug to post on Zuckerberg’s otherwise friends-only wall.
Security research can be a pretty tough balancing act. If you don’t follow a company’s responsible reporting terms to a T, you might be robbing yourself of your fair share of recognition and, if the company is one of many that gives bug bounties, a chunk of cash. Alas, exploiting your way onto Zuck’s timeline… doesn’t exactly comply with Facebook’s reporting rules.
In his initial report of the bug, Khalil demonstrated that he was able to post on anyone’s wall by submitting a link to a post he’d made on the wall of Sarah Goodin (a college friend of Zuck’s, and the first woman on Facebook.)
Unfortunately, the member of the Facebook Security team who clicked the link wasn’t friends with Goodin, whose wall was set to be visible to friends only. As a result, they couldn’t see Khalil’s post. (While Facebook Security can almost certainly over-ride privacy settings to see anything posted on the site, they didn’t seem to do that here)
“I don’t see anything when I click the link except an error”, responded Facebook’s Security team.
Khalil submitted the bug with the same link again, explaining that anyone investigating the link would need to either be Goodin’s friend or would need to “use [their] own authority” to view the private post.
“I am sorry this is not a bug”, replied the same member of the Security team, seemingly failing to grasp what was going on.
Khalil responded by taking his demonstration to the next level; if posting on one of Mark Zuckerberg’s friend’s walls didn’t get his point across, perhaps posting on Zuck’s own wall would?
On Thursday afternoon, Khalil posted a note into Zuckerberg’s timeline. “Sorry for breaking your privacy [to post] to your wall,” it read, “i [had] no other choice to make after all the reports I sent to Facebook team”.