A security researcher from Palestine by the name of Khalil has found a bug on the Facebook and reported twice to a Facebook Security Team. Facebook has created the Bug Bounty Program Two years ago to report the bugs and get paid starting from $500.
Khalil has a found a bug that allows any user to post on any Facebook wall even the user is not on their friend’s list. However, Facebook refused to accept this as a bug and reply to the Khalil that We are sorry that this is not a bug. That’s it and they closed this issue.
In the bug report, Khalil has post an example, how he posted the message on the random girl who has studied with Facebook founder Mark Zuckerberg. Despite that, Facebook’s security team has said “Sorry, this is not a bug,” for a second time.
The disappointed Khalil has decided to post this bug report on Mark Zuckerberg wall and posted the following message,
Dear Mark Zuckerberg,
First sorry for breaking your privacy and post to your wall , i has no other choice to make after all the reports i sent to Facebook team .
My name is KHALIL, from Palestine .
couple days ago i discovered a serious Facebook exploit that allow users to post to other Facebook users timeline while they are not in friend list .
i report that exploit twice , first time i got a replay that my link has an error while opening , other replay i got was ” sorry this is not a bug ” . both reports i sent from www.facebook.com/whitehat , and as you see iam not in your friend list and yet i can post to your timeline .
this is the last email i sent including the Facebook team replay .
i appreciate your time reading this and getting some one from your company team to contact me .
After some minutes, an engineer from Facebook has contacted the Khalil to get the full details of exploit and disabled the Khalil Facebook Account citing security reasons. The Facebook has fixed the bug after sometime.
Despite the Fact, Facebook has refused to pay the bounty to the Khalil citing who has violated the Terms of Service Facebook’s White Hat security feedback program.
In the latest reply, Facebook has re-enabled the Khalil Facebook account and expressed the interest with he will continue to work with Facebook to find more vulnerabilities.
Demo of Facebook Exploit recorded By Khalil