Hacker: I pwned Zuckerberg; at least give me a stupid T-shirt

Let’s say you’re a fledgling security researcher and you’ve found a significant hole in Facebook — one that allows any Facebook member to post anything they feel like to anyone else’s wall, regardless of friendship status. You dutifully report the hole to the Facebook’s Whitehat security team and wait for the company to cut you a $500+ check, the standard bounty for bug hunters.

Instead you receive a terse reply, stating simply, “I’m sorry, this is not a bug.”

[ For a humorous take on the tech industry’s shenanigans, subscribe to Robert X. Cringely’s Notes from the Underground newsletter and follow Cringely on Twitter. | For a quick, smart take on the news you’ll be talking about, check out InfoWorld Tech Brief — subscribe today. ]

Nothing else happens. Your report continues to go unacknowledged, the bug remains. You get impatient and decide to do something to get Facebook’s attention. What would you do?

If you’re Khalil Shreateh, a systems information expert from Palestine, you do it by hacking Mark Zuckerberg’s account and posting a message to his wall.

That, finally, worked. Within moments, Khalil’s Facebook account was suspended and Facebook security engineers were in touch with him, anxious to learn the details of the exploit.

There’s just one problem: Facebook isn’t willing to pay Shreateh a dime for the report.

Swallow the money

Shreateh originally demonstrated that his hack worked by posting a video of Enrique Iglesias to the wall of one of Zuckerberg’s oldest friends. When that was ignored he went for Z’s wall itself. But both that and the post to Zucky’s wall violate Facebook’s terms and conditions for bug reporting, notes Facebook security engineer MK Jones in a post to Hacker News:

…the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behavior for a white hat. We allow researchers to create test accounts …to help facilitate responsible research and testing. In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent.

Facebook allows researchers to use real accounts when they can’t reproduce the vulnerability using the test accounts. It’s not clear if this was the case here. Shreateh wrote a blog post detailing the efforts he made to alert Facebook to the vulnerability, along with a video, but his English is fractured and hard to follow.

Still, I can think of a few things Shreateh could have done if he’d decided to go rogue or sell the exploit on the Internet’s black market, all of them worth a hellovalot more than 500 bucks:

• Use it to generate Facebook spam to millions of users.
• Use it to generate links to a drive-by malware installation site.
• Use it to run a scam targeting specific users, à la the “I’m stranded in London please send money” con that cost at least one gullible Facebook user in Missouri $4,000.
• Use it to impersonate a famous person — say, Mark Zuckerberg — and make some coin by posting bogus statements that could drive his company’s share price up or down momentarily.

In the grand scheme of things, posting a sincere note to Zuckerberg’s wall is a pretty benign way of making a point.

Pay now or pay later

This is an increasingly common, if controversial, tactic among security researchers. In May, Google announced it was now going to give Microsoft a week to respond to private notifications of critical flaws before going public with them — a response to Microsoft’s blatant foot dragging in fixing holes (possibly at the behest of the NSA).

Facebook is also notorious for failing to respond quickly to public concerns over privacy and security — or queries from journalists, for that matter. I’d estimate that maybe a third of the questions I’ve sent to Facebook over the years have ever garnered any response.

I totally get Shreateh’s frustration. I also get that Facebook would rather not encourage researchers to post their exploits to real accounts, especially those of its founding CEO.

But would it rather have Shreateh bring his next exploits over to the dark side? How much would it cost Facebook in the long run if he and his security wonk brothers changed the color of their hats from white to black? In the face of that, $500 is a steal.

Would you pay Shreateh the money? Tell me why or why not below or email me here: cringe@infoworld.com.

This article, “Hacker: I pwned Zuckerberg; at least give me a stupid T-shirt,” was originally published at InfoWorld.com. Follow the crazy twists and turns of the tech industry with Robert X. Cringely’s Notes from the Field blog, follow Cringely on Twitter, and subscribe to Cringely’s Notes from the Underground newsletter.