Facebook’s security team has been left rather embarrassed this week after deciding to ignore a submitted vulnerability report only to find the exploit used to post on Mark Zuckerberg’s wall.
The vulnerability was reported by a Palestinian white hat hacker named Khalil and outlined a way to allow anyone to post on a user’s wall. He followed the rules by using Facebook’s feedback system to file the bug and even included an example of it being used. However, Facebook ignored the report and when Khalil submitted it again he was told it wasn’t a bug.
Knowing he had a legitimate exploit and Facebook wasn’t going to fix it, Khalil decided to take much more drastic and public action. He proceeded to use the exploit to post his bug report on Mark Zuckerberg’s own wall. As you’d expect, it only took a few minutes for Facebook to notice the post and contact Khalil to find out more about how he’d managed to circumvent the user account security.
Was Khalil wrong to take such action? From a user security point of view he wasn’t as Facebook had decided to ignore and dismiss an exploit he knew worked. But Facebook doesn’t see it that way and has refused to pay Khalil the $500 reward he is entitled to. The reason being he broke the rules by using the exploit.
I think in this case Facebook should issue the reward because of their own failings. They should also make it clear they want Khalil to keep looking for security issues as he’s already found something they completely overlooked.
For those of you interested, Khalil posted a video demonstrating the exploit in action: