The researcher who hacked Zuckerberg's page to get rewarded but not from Facebook

Khalil Shreateh, the man who gained international fame a few days ago by writing on the Facebook wall of its CEO Mark Zuckerberg to prove there was a security flaw in the service, will get a monetary reward for finding the bug, but it won't be coming from Facebook itself.

Instead, the reward will come from a crowd sourced donation campaign on the Gofundme website. The page was set up by Marc Maiffret, the chief technology officer of the security firm BeyondTrust. He felt that Facebook's decision to not offer a bounty to Shreateh for finding the exploit was wrong, saying, "Let us all send a message to security researchers across the world and say that we appreciate the efforts they make for the good of everyone."

The goal was to raise $10,000 and so far, the campaign has raised over $11,000 in about a day. Maiffret says he is now in touch with Shreateh and is working with Gofundme to transfer the money to him.

Meanwhile, Facebook has now admitted that they "failed in our communication" with Shreateh when he tried to report the bug through normal channels before he decided to write on Zuckerberg's wall. In a Facebook post, the company's chief security officer Joe Sullivan stated:

We get hundreds of submissions a day, and only a tiny percent of those turn out to be legitimate bugs. As a result we were too hasty and dismissive in this case. We should have explained to this researcher that his initial messages to us did not give us enough detail to allow us to replicate the problem.

Facebook will offer more detailed information on how to report an exploit from now on and will also improve their email communications with the people who report on such bugs. However, the company is still refusing to offer a bounty to Shreateh, with Sullivan saying, "It is never acceptable to compromise the security or privacy of other people."

Source: Gofundme and Facebook | Image via Facebook

Report a problem with article
Previous Story

HWBot: Windows 8 benchmark errors don't show up on AMD PCs

Next Story

Microsoft details new Windows Phone 8 GDR2 update to clear up 'confusion'

21 Comments

Commenting is disabled on this article.

TBH Facebooks bug program is terribly worded and this guys native language wasn't English. To boot he was doing his research on a 5 year old busted-looking laptop.

Wow, I gotta say I did see this coming that facebook wouldn't pay up but I didn't see a donation specially the amount of it. Congrats to him. I absolutly HATE facebook in every aspect.

I can see where Facebook are coming from in terms of not paying a reward.. If they do, They would probably get a tonne of people trying to hack the site for a monetary reward

ashpowell said,
I can see where Facebook are coming from in terms of not paying a reward.. If they do, They would probably get a tonne of people trying to hack the site for a monetary reward

The worst hacker (cracker) is the sneaky one

What? have you no idea how security works, or how a rogue hacker with such a bug available could abolish Facebook as we know it???

Microsoft, Google and MANY other huge companies REALLY REALLY REALLY want the would-be rogue hackers to turn the bugs over to them for money rather than exploit it themselves in a malicious manner for financial gains or denial of service. There are competitions and standing offers at nearly any major online service for such 'bug' information. Generally depending on how severe the vulnerability is correlates to how much of a payout the company would make for preventing it. Posting anything on anyones wall seems pretty high up there on the bug possibilities.

When they fix the bug, but offer no reward is when security researchers get ****ed and switch from 'whitehat' to 'blackhat', thus releasing bug information publicly or to malicious internet groups to use. Imagine the fiasco Facebook would be in if hackers utilized this bug, rather than Facebook fixing it. Its no walk in the park to find such vulnerabilities, it takes skills and effort.

Edited by srbeen, Aug 21 2013, 9:57pm :

srbeen said,
REALLY want the would-be rogue hackers to turn the bugs over to them for money rather than exploit it themselves in a malicious manner for financial gains or denial of service.

You've just said what I did right there...

My point being they want them to email or hand over the bugs, rather than pay them money for actually doing it..

If they start paying for people actually exploiting it themselves, then they may encourage future hackers to exploit and carry out for money rather than mailing it in.

One small example of what happens when big or arrogant companies ignore problems brought to their attention by their users. You do not and never will have all the answers nor will you know what's best for your users. AT&T, H-P Microsoft, and others, take note!

Good effort... FB needs to learn ethics now and revise and make their TOSs more clear or else Security researchers will be hesitant in a future and are ****ed off with this incident.

Good. I was ****ed about how Facebook handled it. I've seen so many problems over the years in Facebook and I wish I could take action.

COKid said,
You can. Close your account and don't use FB.

Ever been in a job interview and had the interviewer tell you it was weird to have no social presence? I referred him to my LinkdIN account and was asked what that was. I still don't have a facebook, and people still think its weird.

NastySasquatch said,

Ever been in a job interview and had the interviewer tell you it was weird to have no social presence? I referred him to my LinkdIN account and was asked what that was. I still don't have a facebook, and people still think its weird.

Apparently that company has no social presence if they don't know what LinkedIn is.

NastySasquatch said,

Ever been in a job interview and had the interviewer tell you it was weird to have no social presence? I referred him to my LinkdIN account and was asked what that was. I still don't have a facebook, and people still think its weird.

Thats what is scary about the internet. Nobody ever asked to see my hand-written diary & Rolodex when I went for interviews in the late-90s. I fail to see the difference between that and Facebook.

My cousin who lives in another continent said she was ****ed off she had no way to contact me because I don't use facebook. I mention no less than 6 other ways of international communication which shuts her up. I also know several landlords who screen everyone via social media. No account? no rental. Private account? no rental. Don't like who you have listed as friends? no rental. Don't like the context of your posts/messages? no rental. Its crazy bias and ignorant.. Sadly, all claim their tenants cause no issues now compared to those who couldn't be 'screened' 15 years ago.

Edited by srbeen, Aug 21 2013, 9:51pm :