Palestinian hacker Khalil Shreateh has apologized to Facebook CEO Mark
Zuckerberg for gaining access to his wall in an attempt to prove a glitch, Al
Arabiya reported on Monday.
Shreateh accessed the page of the social
media website’s founder by taking advantage of a glitch that would allow any
Facebook user to post on a stranger’s wall, despite security settings designed
to help users keep their pages private.
Facebook has a reward for hackers
who manage to bypass their security system, hoping this will act as an incentive
to report glitches rather than exploit them.
The hacker first contacted
the Facebook security team after proving a glitch was real by writing on the
wall of a friend of the Facebook founder.
Shreateh – whose first language
is Arabic – wrote to Facebook saying: “My name is Khalil Shreateh. I finished
school with BA degree in Information Systems. I would like to report a bug in
your main site (www.facebook.com) which i discovered it...The bug allow Facebook
users to share links to other facebook users, I tested it on Sarah.Goodin wall
and I got success post [sic].”
Shreateh went on to recount his attempts
to notify the social media site, and posted a grab of the message on his blog.
He says he hoped his ability to post to Sarah Goodwin’s page would help prove
his case to the Facebook security team. There is also a video on YouTube showing
how he accessed the various pages.
After Facebook responded by denying
that the glitch was a bug, Shreateh used the same glitch to hack his way onto
Zuckerberg’s Facebook page. And, in a message to Zuckerberg, he wrote: “Sorry
for breaking your privacy.... I had no other choice… after all the reports I
sent to Facebook team.”
He also posted an image grab of this message on
Facebook responded immediately, asking him why he had hacked
the page when they had fixed the bug, according to a post by Matt Jones from
Facebook’s security team on Hacker News.
According to Hacker News,
Shreateh had violated the terms of service by posting to Zuckerberg and Goodin’s
accounts and would not be rewarded for his find.
“In order to qualify for
a payout, you must make a good-faith effort to avoid privacy violations” and
“use a test account instead of a real account when investigating bugs,” the
Daily Mail quoted Jones as writing.
“[We] will pay out for future reports
from him,” the Mail quoted Jones as saying, “if they’re found and demonstrated
within these guidelines.”