Khalil Shreateh posted to Mark Zuckerberg’s wall in order to prove a Facebook bug, only to have his account disabled.
Shreateh, a Palestinian IT graduate, had previously submitted his ability to post on other people’s Facebook walls, regardless of privacy settings or whether he was their friend, as a bug to the Facebook ‘White Hat’ security page. The page allows those who have found a vulnerability to submit it to the Facebook team, and offers a minimum ‘Bug Bounty’ of $500 to the finder.
As Shreateh details on his blog, the email contained a link to a successful post he had made on the wall of Sarah Goodin, who attended the same college as Mark Zuckerberg. After the security team replied saying the link resulted in an error, Shreateh attempted to explain that the error was due to Goodin’s privacy settings, which Shreateh’s exploit was bypassing.
In another email asking for a test account to demonstrate the exploit on, Shreateh states that he ‘can post to mark [sic] wall’ but won’t due to people’s privacy. In reply, one of the security team members tells Shreateh ‘this is not a bug’.
Shreateh, who claims he had ‘no choice’ but to post to Zuckerberg’s wall, then submitted a message on the Facebook founder’s profile outlining the bug he had found. In response, another Facebook engineer contacted Shreateh asking for details. Shreateh’s account was disabled minutes later, with an email explaining that he had not offered enough information about the bug, and had broken Facebook’s terms of service, resulting in the ban.
Shreateh’s account was eventually re-enabled, but with a statement from Facebook saying due to the violation of their terms it could not offer him the monetary reward.