Facebook user Khalil Shreateh has pulled off the kind of heist that fans of the film The Social Network might appreciate.  The Palestinian Facebook user apologized to Mark Zuckerberg over the weekend for gaining access to his Timeline – get this, on the founder’s Timeline — following countless attempts to submit a security flaw to the company’s white hat disclosure program, which encourages users to hack the network to expose bugs.

“Sorry for breaking your privacy… I had no other choice… after all the reports I sent to Facebook team.”

Shreateh accessed Zuck’s page by taking advantage of the exact glitch that he was reporting, a glitch that would allow any Facebook user to post on a stranger’s wall despite security settings designed to help users keep their pages private. As part of its white hat program, Facebook has a reward for hackers who manage to bypass their security system, hoping this will act as an incentive to report glitches rather than exploit them.

It doesn’t look like Shreateh will be getting rewarded though.

Before even officially reporting the bug, Shreateh successfully tested it by posting on the wall of Sarah Goodin, Zuckerberg’s former college classmate. He included a link to this post in the email, but a Facebook security employee who goes by Emrakul couldn’t see the post, since he wasn’t friends with Goodin.

Shreateh tried to explain in a follow up email to Emrakul that he could very well post to Zuckerberg’s wall if he wanted. He added that he wouldn’t, allegedly stating, “‘Cause I do respect people privacy.” His second email, however, received more crickets from the social site. So he proved his point in memorable fashion.

The exploited post got the attention of Ola Okelola, another Facebook security engineer. Okelola commented on the post, asking for more information on the bug. After a brief discussion, Shreateh’s Facebook account got suspended in what Facebook labeled “a precaution.” Shreateh then got an email explanation from another Facebook security engineer named Joshua on why he got the runaround, and why he wouldn’t get a $500 reward for his effort.

“Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it,” Joshua wrote. “We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue.” He added that Facebook would “unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service.”

By posting on Zuckerberg’s wall, Shreateh also violated Facebook’s responsible disclosure policy which prohibits people who discover bugs to take advantage of them and demonstrate the bugs on people’s accounts without their permission.

“The more important issue here is with how the bug was demonstrated using the accounts of real people without their permission,” explained Facebook’s Matt Jones on the site Hacker News.

“Exploiting bugs to impact real users is not acceptable behavior for a white hat. We allow researchers to create test accounts here to help facilitate responsible research and testing. In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent,” Jones said.

Facebook declined to comment further. And according to Jones, the hoopla may have been all for not, the bug was apparently fixed on Thursday.

Oh, and here’s how he did it.

{video link no longer active}

Source: Mashable