One IT expert took drastic measures to report a bug to Facebook’s security team.
A Palestine-based Facebook user, who goes by Khalil, says he discovered a bug through which someone can post to any other Facebook user’s wall, at any time. This bypasses any security restrictions the user has set up. (Via YouTube / SmartKhalil)
Khalil reported the bug through Facebook’s built-in white-hat security reporting tool. The company often distributes bounties for legitimate security concerns.
But on his website, Khalil posted an email conversation with Facebook’s security team, who repeatedly told him his find wasn’t a bug. (Via khalil-sh.blogspot.ru)
So Khalil went straight to the top. He used the very vulnerability he was trying to report to post an explanation on Mark Zuckerberg’s wall. (Via The Verge)
Very quickly after that, Facebook security got back in touch, requesting details on the hack. Khalil’s Facebook account was disabled in the meantime as a precaution.
RT reports Facebook eventually agreed this was an exploit that would need patching — but Khalil wouldn’t be compensated “because his actions violated the website’s security terms of service.”
“[Facebook] sets a number of rules that security analysts should follow in order to be eligible for a cash reward. Facebook did not specify which of the rules Khalil had broken.” (Via RT)
A member of Facebook’s security team posted on Hacker News to clarify — Facebook will only compensate white hats if they “make a good faith effort to avoid privacy violations.” Posting straight to the CEO’s wall is a disqualification.
So no payout for Khalil, but his account has been reinstated, and Facebook says it hopes he will continue to report security vulnerabilities through the appropriate channels. The cross-wall posting trick has been patched as of Thursday.