Facebook takes security seriously – as it should seeing how over a billion people trust it with the private details of their lives. Yet a high profile incident came to question the company’s capability. An IT researcher found a vulnerability that allows you to post a comment on anyone’s wall, even if you’re not friends (which Facebook rules prohibit).
The researcher initially reported the problem, but after feeling that Facebook didn’t take the issue seriously, he posted on none other than Mark Zuckerberg’s wall (in case you don’t know, Zuckerberg is founder and CEO of Facebook).
Facebook usually offers bounties for bug reports like this – $20,000 or more per bug, and in total the social network has paid over $1M. But in this case, Facebook refused to pay and even suspended the account of the person who found the bug. Here’s the vulnerability in action:
Now, that’s just one side of the story. The researcher used the vulnerability to post things to real people’s walls (not just Zuckerberg), which violates Facebook’s terms of service. Researchers (called “white hat” to distinguish them from malevolent, “black hat” hackers) should use a special portal where they can create test accounts and do what they need, rather than play with real accounts.
Also, by the sounds of it, the researcher didn’t initially disclose details on how to reproduce the bug, which is also part of the deal and was part of why Facebook ignored the initial report and why the social network is refusing to pay up the bounty.