A Facebook engineer blamed language difficulties and documentation issues for a delay in fixing a bug that let a security researcher post directly to founder Mark Zuckerberg’s Timeline, which is restricted if two users aren’t friends.
Khalil Shreateh, who lives in Palestine, demonstrated the vulnerability by writing a message on Zuckerberg’s Timeline after an earlier bug report he submitted wasn’t acted upon, according to his blog.
The flaw was then fixed on Thursday, wrote Facebook software engineer Matt Jones. The social networking site on Sunday confirmed Jones’ post, which attributed the delay to the volume of reports Facebook receives and communication issues.
“For background, as a few other commenters have pointed out, we get hundreds of reports every day,” he wrote. “Many of our best reports come from people whose English isn’t great – though this can be challenging, it’s something we work with just fine and we have paid out over $1 million to hundreds of reporters.”
Shreateh violated Facebook’s bug reporting policy by demonstrating it on a real user’s page, Jones wrote. Shreateh had initially demonstrated the flaw to Facebook by posting a message on the page of a woman who went to college with Zuckerberg.
It appears from email correspondence posted by Shreateh on his blog that Facebook did not feel at first that he had found a bug. Shreateh then posted the message on Zuckerberg’s timeline. His blog includes a screenshot of that message in which he apologized to Zuckerberg for taking the issue directly to the CEO.
Facebook briefly suspended but reinstated his account, advising him that his report didn’t contain enough technical details. The company said he was ineligible for receiving a reward under Facebook’s bug bounty program because he violated their terms of service, an email message showed.
Jones wrote that Facebook lets security researchers open test accounts so vulnerabilities aren’t tested on real user ones.
“The more important issue here is with how the bug was demonstrated using the accounts of real people without their permission,” Jones wrote. “Exploiting bugs to impact real users is not acceptable behavior for a white hat.”