Shreateh describes the incident in a blog posting. “Days ago,” he writes, “i discovered a serious facebook vulnerability that allows a facebook user to post to all facebook users timeline even they are not in his friend list.” He reported the bug to Facebook via the official ‘whitehat’ page, and demonstrated it by posting a message to Sarah Goodin’s wall.
Goodin is a college friend of Zuckerberg, a Facebook friend of Zuckerberg, and was the first female member of Facebook.
The Facebook security team checked the report, and replied, “I dont see anything when I click link except an error.” Shreatah was forced to reply words to the effect, ‘Of course you won’t see it if you’re not a friend of Goodin – you’d have to override the Facebook privacy controls to do so.’
On one level it is reassuring that Facebook doesn’t immediately and automatically look at users’ private accounts; but it is less reassuring that the security team just continued to deny a problem. This time it simply replied, “I am sorry this is not a bug.”
To prove his point – a possibility Shreatah had already noted in the second email to Facebook (“i can post to mark wall either but i will not cause i do respect people privacy”) – he used the vulnerability to post direct to Mark Zuckerberg’s own wall. The message started, “First sorry for breaking your privacy and post to your wall, i has no other choice to make after all the reports i sent to Facebook team.”
This time he got a response within minutes, with Facebook asking for full details; and “a minute after that i got my account disabled,” writes Shreateh. It has since been re-enabled, but Facebook also said, “We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site.”
The incident has ignited a debate on whether Shreateh should receive some reward for finding and reporting the vulnerability. On the one hand he violated Facebook’s bug reporting procedures by using live accounts (Goodin’s and Zuckerberg’s) to demonstrate the flaw rather than set up a test account to do so. One of the conditions for qualifying for a bounty states, “Please use a test account instead of a real account when investigating bugs. When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing. Do not interact with other accounts without the consent of their owners.”
On the other hand, he did report the bug to Facebook and did not sell or reveal it to spammers. Facebook fixed the bug by Thursday of last week.