Even though websites and software companies do their best to encourage people to be responsible hackers and report bugs and glitches in exchange for financial reward, they don’t always take the submissions seriously. When this happened with a flaw in Facebook’s privacy coding last week, the helpful hacker took matters into his own hands in a way that Facebook founder and CEO would not be able to ignore: he used the hack on Mark Zuckerberg’s own Timeline.
Khalil Shreateh, a developer and hacker based in Palestine, alerted the social network to the fact that it was possible to bypass the Facebook privacy settings and post to the Timeline of any user, regardless of whether or not they are you are friends with them. When Shreateh emailed Facebook about his discovery, he included a link to a post he’d made on the Timeline of Sarah Goodin – a former classmate of Mark Zuckerberg. However, the Facebook security employee who received the email was not friends with Goodin, and therefore couldn’t see Shreateh’s post, and the bug went ignored.
When a subsequent email from Shreateh to the security employee – warning that he would hack Zuckerberg’s timeline – was also rejected with the response saying “I am sorry this is not a bug.” the Palestinian developer took matters into his own hands. “ok, that mean [sic] I have no choice other than report this to Mark himself on Facebook.” he responded.
After he posted what was admittedly a very apologetic message to Mark Zuckerberg’s Timeline, another Facebook security engineer finally took note, and the bug was eventually logged officially. However, as the second security engineer explained to Shreateh in an email, he was not entitled to any reward for his discovery:
“Unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service.”
Another Facebook employee, Matt Jones explained further on Hacker News:
“Exploiting bugs to impact real users is not acceptable behavior for a white hat. We allow researchers to create test accounts here to help facilitate responsible research and testing. In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent.”
Do you feel that Khalil Shreateh has been hard done by here? Is it ever right for an individual to breach a network’s terms of service if it leads to a net gain for the greater good? Leave a comment below with your opinion.