Idiots at Facebook were humiliated by a hacker after they tried spin out the news the software was flawed.
Facebook has a policy that it will pay a minimum $500 bounty for any security flaws that a hacker finds.
Khalil, a systems information expert from Palestine, found a vulnerability that allows anyone to post to another user’s timeline whether they’re friends or not. He tried to report it to Facebook’s security team twice.
He even warned them that he could post to Zuckerberg’s wall, but they told him that it was not a bug and to go away.
So Khalil posted an Enrique Iglesias video to Sarah Goodin’s wall. Goodin was a woman that Zuckerberg went to college with.
The security team still claimed that since you can’t see that post unless you’re a friend of sarah, it is not a bug.
So he posted onto Mark Zuckerberg’s wall details of the security hole. Khalil was very nice about it and said he was sorry for violating his privacy.
In less than a minute his Facebook account was suspended and he was contacted by a Facebook engineer requesting all the details of the exploit.
They claimed that he had not given enough technical information for them to take action on it. Why do we have the impression that this one was bumped up to someone’s supervisor?
However, they said that by proving to them the hack existed, Facebook could not pay him for the vulnerability because his actions violated Facebook’s Terms of Service.
Of course, it’s all his fault, the security team couldn’t have said, “Yeah we see what you’re talking about we need some more technical information.” Khalil tried at least two times to contact them and both times they told them to go forth and multiply. So in other words the guy finding the exploit loses out by forcing someone at Facebook to realise it was a flaw.
In effect, the hacker was punished for his good faith – when it could have been possible to sell it on to a third party and make more cash that way.