The social media site Facebook has a rewards policy for individuals who identify bugs and security holes in their platform.
When one user named Khalil originating from Palestine identified a serious issue with Facebook’s privacy settings allowing a hacker to hijack a user’s wall, he sent emails to their technical team. After numerous contact attempts he not only didn’t receive his $500 reward (a paltry sum for a multi-billion dollar web empire), but no response from Facebook’s developers and therefore assumed he was being ignored.
So what’s a hacker to do when he identifies a gaping security hole on a platform that serves hundreds of billions of users and falls on deaf ears?
Hack the owner’s account!
And that’s exactly what Khalil did… to none other than Mark Zuckerberg.
Using the security hole he identified, Khalil was able to gain access to the chief’s Facebook wall and post whatever he wanted. But, because he’s considered a white-hacker, and his intention was to inform rather than wreak havoc, Khalil posted a friendly message:
Dear Mark Zuckerberg,
First sorry for breaking your privacy and post to your wall, i has no other choice to make after all the report i sent to Facebook team.
My name is KHALIL, from Palestine.
Facebook has since plugged the security hole that allowed Khalil access to Zuck’s account.
You’d think that this would warrant the $500 reward, but a Facebook spokesperson indicates otherwise:
“exploiting bugs to impact real users is not acceptable behavior for a white hat. In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent.”
So, not only does white-hat hacker Khalil not get the reward because he violated the company’s terms of service, his account was suspended pending a security verification.
Good job Facebook. Way to ensure our privacy is protected and that users who identify security holes in your infrastructure are rewarded for their efforts.