The vulnerability allows anyone to post anything to anyone else's page, regardless of whether they are a Facebook friend of that person, Khalil Shreateh wrote in a blog post Saturday. Shreateh initially reported the vulnerability through Facebook's "white hat" security disclosure service, which offers a minimum bounty of $500 for legitimate bugs.
However, despite including a demonstration of the bug executed on the Facebook page of Zuckerberg pal Sarah Goodwin, Shreateh was told by a Facebook security engineer in a terse note that "sorry this is not a bug."
Undaunted, Shreateh decided to share his experience with Zuckerberg by posting a note to the Facebook founder's page that apologized for the post but said he had "no other choice."
"[A] couple of days ago I discovered a serious Facebook exploit that allows users to post to other Facebook users timeline while they are not in friend list," Shreateh wrote in his post to Zuckerberg's timeline. "I appreciate your time reading this and getting some one from your company team to contact me."
Within minutes, Shreateh was contacted by a Facebook security seeking details of the exploit, Shreateh said, adding that his own Facebook account was quickly disabled. A security engineer told Shreateh his account had been disabled as a "precaution."
"When we discovered your activity we did not fully know what was happening," an engineer who identified himself as "Joshua" told Shreateh. "Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it. We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue."
Joshua also informed Shreateh that he would not be receiving a bug reward for reporting the exploit because he violated the site's terms of service. "We do hope, however, that you continue to work with us to find vulnerabilities in the site," he wrote.
A Facebook security engineer responded Saturday in a Hacker News post that the vulnerability was fixed Thursday and conceded that Shreateh should have been asked for more details on the issue after his initial report. Along with offering inadequate information about the bug, Shreateh's post to Zuckerberg's timeline violated the social network's responsible disclosure policy, the security engineer wrote.
"Exploiting bugs to impact real users is not acceptable behavior for a white hat," the engineer wrote, adding that researchers are allowed to create test accounts to aid their research.
(click for larger screen shot)