If your Facebook profile isn’t public, others aren’t supposed to be able to post content on your wall. Khalil Shreateh, a self-professed IT expert from Palestine, claims to have discovered a vulnerability that lets anyone post a link to other Facebook walls. Shreateh says he reported the bug to Facebook recently, but instead of taking him seriously he claims the company ignored the problem and decided it wasn’t a bug.
In a lengthy blog post outlining the timeline of events, Shreateh says he tested the vulnerability on Sarah Goodin — a friend of Facebook CEO Mark Zuckerberg, and the first woman to sign up to the service — before reporting it through Facebook’s whitehat disclosure service for security researchers. The whitehat service rewards researchers with at least $500 for successful bugs. In a copy of an email sent to Facebook, Shreateh explains the details and notes that the security team might not be able to see his test post as Goodin restricts posts to only her friends. Despite attaching a screenshot of the post, a Facebook security engineer, identified only as Emrakul, replied saying “I am sorry this is not a bug,” without asking for additional information.
Unperturbed by the response, Shreateh decided to notify Mark Zuckerberg himself by posting to his timeline. Minutes later, Facebook security engineer Ola Okelola contacted Shreateh requesting details on the exploit. Facebook disabled his account, presumably fearing a wider security breach.