Breaking News Facebook

IT Community Rallies Behind Researcher Denied Facebook Bug Bounty

Khalil ShreatehFacebook may have declined to pay unemployed IT researcher Khalil Shreateh for revealing a flaw on the social network, but security expert Marc Maiffret is making sure the Palestinian resident will be paid for his troubles.

Maiffret, the chief technology officer at BeyondTrust, a leading security and compliance management company, has launched a campaign on gofundme to raise $10,000, the proceeds of which will go to Shreateh.

Shreateh achieved his 15 minutes of fame recently by hacking Facebook CEO Mark Zuckerberg’s personal Facebook page to expose a vulnerability in the social network’s system after being ignored by the site’s security team.

The bug he discovered — which has since been fixed, allowed anyone to post on any Facebook user’s wall whether they are friends or not.

The brush off Shreateh received from Facebook’s security team convinced him he would need to appeal to the site CEO before action would be taken on the security issue. To prove the bug was indeed real, he placed a note on Zuckerberg’s wall.

“(A) couple of days ago I discovered a serious Facebook exploit that allows users to post to other Facebook users timeline while they are not in friend list,” Shreateh said in his post on Zuckerberg’s timeline. “I appreciate your time reading this and getting some one from your company team to contact me.”

Facebook hack

Shreateh was quickly contacted by a Facebook security engineer requesting details of the exploit. And while Facebook finally admitted there was indeed a flaw and has since fixed it, the company has refused to pay Shreateh the standard bounty via its White Hat security feedback program because he posted items on the walls of other Facebook users without permission. The White Hat program typically offers a minimum bounty of $500 for genuine vulnerabilities.

“We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service,” a Facebook security engineer identified only as Joshua wrote in an e-mail to Shreateh. “We do hope, however, that you continue to work with us to find vulnerabilities in the site.”

Shreateh, who has been unemployed for two years, told CNN he was deeply disappointed by Facebook’s decision.

“I could sell (information about the flaw) on the black (hat) hackers’ websites and I could make more money than Facebook could pay me,” he told CNN. “But for me — I am a good guy. I don’t deal with the black (hat) stuff.”

Shreateh’s story convinced Maiffret, a former white hat hacker himself, to take action.

As of 7:30 this morning, the campaign started by Maiffret had raised $8,535 courtesy of 56 donors. Maiffret himself chipped in $3,000, according to a Wired article.

Maiffret described the vulnerability found by Shreateh as “an extremely valuable bug.”

“There’s so many ways to leverage that in cybercrime attacks,” he told Wired. “It was a good thing that he did. He might have done it slightly wrong, but ultimately it was a bug he got killed off before anyone did a bad thing (with it).”

All proceeds raised in the campaign will be sent to Shreateh “to help support future security research,” according to the gofundme page.

“Khalil Shreateh found a vulnerability in and, due to miscommunication, was not awarded a bounty for his work,” the page reads. “Let us all send a message to security researchers across the world and say that we appreciate the efforts they make for the good of everyone.”

About the author


Jennifer Cowan

Jennifer Cowan is the Managing Editor for SiteProNews.


Click here to post a comment

Sign Up for Our Newsletter