A significant hole in Facebook allows any Facebook member to post anything they feel like to anyone elses wall, regardless of friendship status!
A fledgling security researcher dutifully reported the hole to the Facebooks Whitehat security team and waited for the company to send him a $500+ check, the standard bounty for bug hunters. Instead he received a terse reply, stating simply, Im sorry, this is not a bug.
Nothing else happened. The bug remained. He got impatient and decided to do something to get Facebooks attention. He hacked Mark Zuckerbergs personal account and posted a message to his wall.
Well, that finally worked! Within moments, Khalils Facebook account was suspended and Facebook security engineers were in touch with him, anxious to learn the details of the exploit.
Theres just one problem: Facebook isnt willing to pay Shreateh a dime for the report because by posting to Zuckerbergs wall, he technically violated Facebooks terms and conditions for bug reporting.
In the grand scheme of things, posting a sincere note to Zuckerbergs wall is a pretty benign way of making a point. He could have:
- Used it to generate Facebook spam to millions of users.
- Used it to generate links to a drive-by malware installation site.
- it to impersonate a famous person say, Mark Zuckerberg and make some coin by posting bogus statements that could drive his companys share price up or down momentarily.
What would you have done?
From InfoWorld.
