It’s clear that, nothing will be posted on your wall by strangers, its either yourself or your friends. Khalil Shreateh discovered a Facebook bug that allowed a hacker to post on anyone’s wall — even if that person is not in your friends list.
According to a post on Khalil’s blog, Facebook ignored the bug and replied back that it was not a bug.
He tried his second time to warn Facebook and when that didn’t work he decided to proved that his Exploit Works, On Thursday, Khalil posted a message into Zuckerberg’s Facebook timeline that reads. “Sorry for breaking your privacy [to post] to your wall,” it read, “i [had] no other choice to make after all the reports I sent to Facebook team”. He also explained that Facebook’s security team wasn’t taking him seriously.
Normally Facebook pays people to report bugs instead of using them or selling them on the black market. This is common Facebook bounty program where security researchers are paid at least $500 for each legitimate bug they report responsibly. $500 is the minimum amount that Facebook pays Security researchers; the bounty increases with the severity of the bug, with no set maximum.
In Khalil’s case, instead of fixing the bug and paying the researcher the $500+ fee, Faceboook told him “this was not a bug,” according to an email he shared on his Blog.
He was never considered for bug bounty and Facebook was not happy with him. Facebook explained to him that he violated their Terms of Service. It should be known that Facebook’s bug disclosure policy requires researchers to use test accounts for their investigations and reports, rather than the accounts of other Facebook users. Since Khalil posted on Zuck’s walls, he’d broken those rules. Facebook says:
Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it. We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue. When you submit reports in the future, we ask you to please include enough detail to repeat your actions.
We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site.
In a post on Hacker news, Matt Jones from Facebook’s security team said that once the team understood the bug they acted quickly, “We fixed this bug on Thursday.”
Fcebook also temporarily suspended Shreateh’s account.
If you are interested on Facebook’s full comment on what happened is posted on Hacker News. You will also see explanation on why Shreateh was disqualified from payment.