Recently, we were able to see some bugs where people uploaded animated pictures and also they were able to share Facebook pages with animated pictures. Now, a Palestinian hacker managed to break the privacy on Facebook and was able to post on non friends Facebook timeline. He was able to post links, statuses and photos. The hacker did a small test on a Sarah Gooden's timeline but later the hacker reported the vulnerability details to Mark Zuckerberg by posting on his timeline. However, after posting the details to Mark Zuckerberg's timeline, his Facebook account was suspended for few hours.
The Palestinian hacker named "Khalil" wrote a following post on Mark Zuckerberg's timeline. The privacy of the wall post he made was not shown to public but only to the hacker and Mark Zuckerberg.
Dear Mark Zuckerberg, First sorry for breaking your privacy and post to your wall, i has no other choice to make all the reports i sent to Facebook team . My name is KHALIL, from Palestine . couple days ago i discovered a serious Facebook exploit that allow users to post to other Facebook users timeline while thery are not in friend list . i report that exploit twice , first time i got replay that my link has an error while opening , other replay i got was " sorry this is not a bug " . both reports i sent from www.facebook.com/whitehat , and as you see iam not in your friend list and yet i can post to your timeline . this is the last email i sent including the Facebook team replay . http://pastebin.com/zzi2WYK6 i appreciate your time reading this and getting some one from your company to contact me . sincerely khalil
When he didn't got any proper response from Facebook team when he reported initially, Khalil was forced to post the vulnerability details to Mark Zuckerberg's timeline, he was contacted by Ola okelola, a Software Engineer at Facebook. The seriousness of the vulnerability was not much cared by Facebook.
After Facebook fixed the vulnerability, the team did not list the hacker's name on Facebook Whitehat thanks page due to a reason mentioned by the Facebook team. Usually, when someone reports a vulnerability to Facebook, they are paid with $500 but this time, they did not pay Khalil though the vulnerability was very much serious as it concerned about the privacy of a Facebook user.
[Click on the image to enlarge]
When the hacker Khalil demanded for the credits, he was said that he violated the Facebook website Terms of Service and so he won't be getting paid.
The hacker Khalil still has to be paid by Facebook considering the seriousness of the vulnerability he reported to Facebook. His actions which made him to post on Mark Zuckerberg's timeline was that, he was not properly recognized initially when he reported the vulnerability details to Facebook team thrice.
The hacker who broke the privacy settings also made a video regarding how he posted links, status and photos to Facebook users who are not in their friend list.
[youtube F9J8U9ZpEnw]
What's your thought about the seriousness of the vulnerability? What if, someone posts on your timeline while he or she is not in your friend list? Comment below.
To support this guy, you can donate Khalil Shreateh.