Facebook Inc. (NASDAQ: FB) has issued a public apology to Khalil Shreateh, the Palestinian hacker who uncovered a major flaw in Facebook's security, for being too “hasty and dismissive” with Shreateh’s report. Facebook still wouldn’t pay Shreateh, so the white hat hacker community took things into their own hands and raised more than $11,000 with an Indiegogo campaign to compensate Shreateh for his efforts.
Shreateh exposed a bug that allows users to post to any Facebook Timeline, even if they are not friends with the owner of a timeline. The Facebook security team ignored Shreateh’s initial reports, so the hacker demonstrated the bug by posting directly to Facebook CEO Mark Zuckerberg’s private Facebook page.
Facebook pays benevolent hackers a minimum of $500 for reporting bugs as a part of its bounty program it uses to find security flaws, but the social network said Shreateh violated the terms of service by compromising the security of user accounts to demonstrate the bug. Shreateh claimed it was the only way to get Facebook’s attention.
Many members of the white hat community pointed out that this vulnerability could have been used by malicious hackers to fill Facebook pages with spam and malware. They argued that the damage Shreath prevented outweighed breaking the terms of service and he should be rewarded for his work.
Continue Reading Below
Marc Maiffret, the chief technology officer at BeyondTrust, started an Indiegogo campaign to raise money to pay Shreateh. In just one day, the account raised $11,305.
“I hope this has raised awareness of the importance of independent researchers,” Maiffret said on the Indiegogo page. “I equally hope it has reminded other researchers that while working with technology companies can sometimes be frustrating, we can never forget the greater goal; to help the Internet community at large, just as that community has helped donate over ten thousand dollars to Khalil within a day.”
Maiffret said he is in the process of transferring the funds to Shreateh.
Facebook said it has fixed the bug.