A Palestinian white hat hacker became a hero in his village yesterday for hacking Mark Zuckerberg’s Facebook page to reveal a critical bug.
Today, the news about Khalil Shreateh continues to circle the
globe, revealing that the hacker, from Yatta, a town south of
Hebron in the West Bank, was initially rebuffed by Facebook’s
“I don’t see anything when I click [that] link except an error,” one security team member wrote when Khalil initially posted on the Facebook page of Sarah Goodin, a Harvard classmate of Zuckerberg’s and the first woman to join Facebook.
Yet Shreateh was adamant that he get the point across; after all, as he told CNN in a powerful interview, the bug’s implications were far worse for Facebook than having users see the odd potential post from a non-friend.
“To find a way to post to other Facebook users’ timelines, this is dangerous,” Shreateh said. “This is so dangerous, because it will allow people to make public ads without paying Facebook money.” If spammers could post ads at will, it could cripple Facebook’s ad program.
To demonstrate the bug, Shreateh then posted on Mark Zuckerberg’s wall: “First, sorry for breaking your privacy and post to your wall, I has no other choice to make after all the reports I sent to the Facebook team.” (Read Khalil’s blog post in English and Arabic for the full story).
A security team member contacted him with minutes, disabling his account. Shreateh’s account is now re-enabled, but he has not been awarded the bounty typically awarded to white hat hackers who demonstrate code vulnerabilities to Facebook.
The reasoning, Matt Jones of Facebook’s security team explained on Hacker News, was that Khalil’s initial demonstration of the bug was not well understood, and he had not followed the rules, which state that hackers must “make a good faith effort to avoid privacy violations,” and “use a test account instead of a real account when investigating bugs.”
“We welcome and will pay out for future reports from him (and anyone else!) if bugs are found and demonstrated within these guidelines,” Jones concluded.
In Yatta, where Khalil lives, receiving the $500 to few thousand dollar payout that Facebook’s Bug Bounty program typically offers would have been life-changing; unemployment is above 22% in Yatta, and he hasn’t found a job in two years. While he’s now received job offers from hackers who want to exploit the bug, he’s turned down those offers, he told CNN.
Now, members of the online community are taking the situation
into their own hands. Marc Maiffret, the Chief Technology Officer
at BeyondTrust, a leading security and compliance management
company, has launched a page to support Shreateh on
crowdfunding site GoFundMe.
With a goal of $10,000, it’s raised over $7,250 so far, and will likely reach its goal by the end of the day.
“All proceeds raised from this fund will be sent to Khalil Shreateh to help support future security research. Khalil Shreateh found a vulnerability in Facebook.com and, due to miscommunication, was not awarded a bounty for his work. Let us all send a message to security researchers across the world and say that we appreciate the efforts they make for the good of everyone,” says Maiffret, who is famous himself for hacking Microsoft’s software (after waking up to FBI agents pointing guns at his head at the age of 17, he went on to become a leading white hat hacker).
Members of the Palestinian tech community have responded in support, posting in both the PalGeeks and Peeks communities.
“I feel proud of any achieving Palestinian… I feel proud about Palestinian hackers… esp[ecially] white hats, because I do not have to rationalize their behavior,” said Tareeq Abdeen, a graduate of George Mason University living in East Jerusalem.
“Even though it’s wrong from Facebook[‘s] point of view, posting
on Zuckerberg’s wall was freakin’ awesome… This dude is a genius!”
said Rasha Rasem Khatib, one of Palestine’s leading coders
who’s working to
build a coding culture in Palestine, especially among
“I think they [should] hire him[;] it is much better than giving him the $500 reward,” said Lamees Abdeljalil, a graduate of Birzeit University.
It looks like Shreateh will receive far more recognition- and reward than Facebook’s Bug Bounty program.
“With great power comes great responsibility. Thank you for exercising both,” one donor wrote on the wall of his GoFundMe page.