Khalil Shreateh, a Palestine IT expert posted a bug report on the facebook timeline of Facebook’s Founder Mark Zuckerberg after his security bug report was ignored by the facebook security team. The vulnerability he reported posted allows anyone to post anything to anyone’s timeline whether or not there are facebook friends.
Despite reporting this bug to the “white hat” security bug reporting feature which offers a minimum bounty of $500 if the bug is genuine by demonstrating on a timeline of Mark Zuckerberg’s friend ‘Sarah Goodwin,’ was told by a facebook security engineer that it wasn’t a bug.
Shreateh then went on to “let” Zuckerberg know by posting a note to the facebook founder’s page. He managed to post this “I appreciate your time reading this and getting someone from your company team to contact me”
He was shortly contacted by the Facebook security team seeking for details of the bug. However Shreateh’s account disabled as a precaution by the security engineer. And later a Facebook security engineer who identified himself as Joshua told Shreateh that “When we discovered your activity we did not fully know what was happening,”
Joshua also informed Shreateh that he wouldn’t be receiving a bug reward because he violated Facebook’s terms of service. And added that “We do hope, however, that you continue to work with us to find vulnerabilities in the site”
Below is a Video showing how Sheatreh did it.