Facebook CEO Mark Zuckerberg speaks during an event at Facebook headquarters on April 4, 2013 in Menlo Park, California. Zuckerberg announced a new product for Android called Facebook Home. (Photo by Justin Sullivan/Getty Images)
Hide Caption

Man hacks Mark Zuckerberg's Facebook account to prove a point, expose glitch

a a a a
Share this story

YATTA, West Bank -- After discovering a privacy bug on Facebook, unemployed Palestinian programmer Khalil Shreateh said he just wanted to collect the traditional $500 bounty the social network giant offers to those who voluntarily expose its glitches.

But when Facebook ignored his first two reports, Shreateh took his message to the top - and hacked into CEO Mark Zuckerberg's personal page to prove his point.

"Sorry for breaking your privacy," he wrote the Facebook founder, "I has no other choice to make after all the reports I sent to Facebook team ... as you can see iam not in your friend list and yet i can post to your timeline."

The stunt cost the 30-year-old Palestinian the bounty, but earned him praise - and numerous job offers - for being able to get to the boss of the world's most ubiquitous social network.

Shreateh, who lives near the West Bank city of Hebron and has been unable to find a job since graduating two years ago with a degree in information technology, told Facebook that he found a way that allowed anyone to post on anyone else's wall. "I told them that you have a vulnerability and you need to close it," he told The Associated Press. "I wasn't looking to be famous. I just wanted to make a point to Mark (Zuckerberg)."

In a message posted to the Hacker News, a user-driven security news site, Facebook software engineer Matthew Jones said the initial report was poorly worded, although he acknowledged that the company should have pressed for more information.

"As a few other commenters have pointed out, we get hundreds of reports every day," Jones wrote. "Many of our best reports come from people whose English isn't great - though this can be challenging, it's something we work with just fine and we have paid out over $1 million to hundreds of reporters. However, many of the reports we get are nonsense or misguided, and even those ... provide some modicum of reproduction instructions."

Nevertheless, he said, "we should have pushed back asking for more details here."

He went on to say that Shreateh would not be paid from Facebook's bounty program because he'd violated the company's terms of service - namely by posting items to the Facebook pages of users he should not have had access to.

"The more important issue here is with how the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behavior for a white hat," he said, using an industry term for ethical security experts.

Jones added that the bug was fixed Thursday. Facebook declined to comment beyond the post.

The bug - and Facebook's response to it - has become a talking point in information security circles, with many speculating that the Palestinian could have helped himself to thousands of dollars had he chosen to sell the information on the black market.

Shreateh said he was initially disappointed by the Facebook response but that after being inundated by job offers from all over the world he is pleased with how things worked out.

"I am looking for a good job to start a normal life like everybody," he said. "I am so proud to be the Palestinian who discovered that exploit in Facebook."

Copyright 2013 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

Print this article

More Technology News
REPLAY: SpaceX rocket blasts off from Cape
REPLAY: SpaceX rocket blasts off from Cape

A SpaceX commercial rocket blasted off from Cape Canaveral on schedule Friday afternoon and is heading to the International Space Station.

5 features Amazon smartphone might offer
5 features Amazon smartphone might offer

Rumors of an Amazon smartphone reached a fever pitch this week, with several tech blogs speculating that the device could be due out this year.

An airline oops tops digital week in review
An airline oops tops digital week in review

Each week, we recap the stories and trends that made headlines in the digital world. Read on to see what you missed.

NASA's moon-orbiting robot crashes down
NASA's moon-orbiting robot crashes down

NASA's robotic moon explorer, LADEE, is no more. Flight controllers confirmed early Friday that the moon-orbiting spacecraft crashed into…

Tiny power plants hold promise for nuclear power
Tiny power plants hold promise for nuclear power

Small underground nuclear power plants that could be cheaper to build than their behemoth counterparts may herald the future for an energy…

‘Liking' a brand on Facebook means you can't sue
‘Liking' a brand on Facebook means you can't sue

If you click ‘Like’ on your favorite brands or companies on Facebook, you could be signing up for more than you bargained for.

Facebook to launch new location-sharing feature
Facebook to launch new location-sharing feature

Facebook users in the U.S. will soon be able to see which of their friends are in close proximity using a new feature the company is…

Bust a move! Local teen dances to end bullying
Bust a move! Local teen dances to end bullying

He takes the stage to spread his anti-bullying message. Who is Jeff Bullis? Meet the 19-year-old West Chester, Oh. teen who is using his…

Hacker attack? NKU Cyber Defense Team can help
Hacker attack? NKU Cyber Defense Team can help

The students bested teams from nine states--including the University of Louisville--in a recent competition. Organizers described the cyber…

Scammers using Netflix to steal from millions
Scammers using Netflix to steal from millions

A dangerous new phishing scam is targeting the sensitive information of millions of Netflix users.