Palestinian IT Expert Rewarded For Facebook Hack
August 21, 2013

Palestinian IT Expert Earns $11,000 For Posting To Zuckerberg’s Wall

Michael Harper for - Your Universe Online

This weekend Palestinian IT expert Khalil Shreateh hacked into Facebook CEO Mark Zuckerberg’s account on the social network and posted a bug report. Rather than earn the $500 promised him by the social network for reporting a security flaw, Facebook suspended his account without any reward.

Today Shreateh is $11,305 richer after other security experts gave to a campaign to reward him for his hard work. After hearing about Shreateh’s successful hack into Zuckerberg’s account and the subsequent denial of payment, security researcher Marc Maiffret set up a fundraising campaign on GoFundMe and asked other security experts to donate money to the cause. The goal of $10,000 was reached on Tuesday afternoon, but contributors continued to give to the campaign, earning him over $11,000. Once the money was gathered, Maiffret had the task of confirming that the money was given to Shreateh and not an impostor.

“That would be the worst outcome of all, to give it to someone posing as him,” said Maiffret in an interview. He is convinced, however, that he found the right person, despite several other hackers claiming to be Shreateh in order to claim the $11,000.

“I hope this has raised awareness of the importance of independent researchers. I equally hope it has reminded other researchers that while working with technology companies can sometimes be frustrating, we can never forget the greater goal; to help the Internet community at large,” reads the campaign which raised the money for Shreateh.

The Palestinian IT expert, who is not a native English speaker, first attempted to submit his bug reports to Facebook through their security feedback page. Facebook welcomes bug reports and, if a researcher can demonstrate a security flaw, will reward them with $500. Upon receiving the first bug report from Shreateh, a member of Facebook’s security team simply responded: “Sorry, this is not a bug.”

By using the flaw he discovered in Facebook’s system, Shreateh was able to post to the page for Sarah Goodin, a Facebooker who is friends with CEO Zuckerberg but not Shreateh. On his blog the researcher explains that he submitted this flaw through WhiteHat, but received no other response from the Facebook security team. Finally Shreateh decided to post the flaw somewhere he knew would earn some attention: Mark Zuckerberg’s wall.

"First, sorry for breaking your privacy and post(ing) to your wall," wrote Shreateh on Zuckerberg's wall. "I (have) no other choice to make after all the reports I sent to (the) Facebook team."

Following the Zuckerberg post, the security team at Facebook fixed the flaw but did not reward the researcher with his bounty. Instead, they suspended his account, claiming he had violated their Terms of Service. Facebook Software Engineer Matt Jones said Shreateh’s reports didn’t offer enough information and therefore they could not replicate the flaw on their end. Jones also mentioned, however, that the language barrier between the team and Shreateh may have been an obstacle in each of his bug reports.

“Many of our best reports come from people whose English isn’t great – though this can be challenging, it’s something we work with just fine and we have paid out over $1 million to hundreds of reporters. However, many of the reports we get are nonsense or misguided,” said Jones.