Apparently, nothing can be show up on your Facebook Wall unless posted by you or your friends, but a Palestinian security researcher and hacker Khalil Shreateh just proved this wrong!
On detecting a privacy bug that allowed anyone to post something on a non-friend's Timeline, Shreateh reported the flaw to Facebook’s security team but they didn’t take his warnings seriously.
After Shreateh failed to evoke a positive response, the Palestinian hacked into and posted a message on CEO Mark Zuckerberg's page last week to expose the glitch and prove a point.
"First, sorry for breaking your privacy and post(ing) to your wall, I (had) no other choice to make after all the reports I sent to (the) Facebook team," Shreateh wrote on Zuckerberg's wall.
Initial attempts rebuffed
In the hope of collecting the traditional $500 bounty that Facebook offers to those who voluntarily report such glitches rather than sell them on the black market, Shreateh reported the bug to the security team.
He had written to Facebook security saying, "My name is Khalil Shreateh. I finished school with B.A degree in Information Systems . I would like to report a bug in your main site (www.facebook.com) which i discovered it...The bug allow Facebook users to share links to other facebook users , I tested it on Sarah.Goodin wall and I got success post."
His attempts were initially rebuffed but when Shreteah hacked Facebook founder Mark Zuckerberg’s page and post a YouTube video to establish the social network’s vulnerability he finally caught their attention.
The security team contacted Shreateh immediately and asked for details on how he did it. Once they understood the bug they acted quickly and fixed the flaw on Thursday.
Facebook software engineer Matthew Jones attributes the language barrier and the volume of reports the site receives for the site's slow response. However, he concedes that the company should have asked for more information.
Matt Jones stated, "Unfortunately, all he submitted was a link to the post he'd already made (on a real account whose consent he did not have) ... saying that 'the bug allow facebook users to share links to other facebook users,' For background, as a few other commenters have pointed out, we get hundreds of reports every day. Many of our best reports come from people whose English isn't great -- though this can be challenging, it's something we work with just fine and we have paid out over $1 million to hundreds of reporters."
Violated the terms of service
Unfortunately, the 30-year-old Palestinian was not paid the $500+ fee for exposing the security hole because he violated the Terms of Service by using the accounts of users without their permission. However, the stunt has been hailed and the researcher has been offered a number of jobs.