Internet Rewards White Hat Facebook Hacker

Facebook Hacker Reward Fund

Facebook may have stiffed Palestinian security researcher Khalil Shreateh, but the Internet is riding to the rescue.

And the white hat hacker stands to collect a whole lot more than the $500 reward Facebook won’t pay him for discovering a zero-day vulnerability on the site—thanks to a GoFundMe collection taken up for Shreateh, he’s currently parlaying that relatively paltry sum into $10,000 and counting.

After Shreateh discovered a glitch that he said allowed people to post to other Facebook users’ Timelines, he notified the social network’s bug-disclosure and bounty program in several emails but got the brush off in response.

So the unemployed bug-hunter upped the stakes, big time. A few days ago, Shreateh used the loophole he’d discovered to post a message about the glitch on Facebook CEO Mark Zuckerberg’s own profile page.

That certainly got everybody’s attention.

Facebook hastened to fix the vulnerability but in the aftermath of the embarrassing episode, made it known that Shreateh wouldn’t be paid the $500 reward the bounty program offers to folks who notify the social network about such glitches. It turns out you’re not supposed to actually hack the site to prove that an exploit you’ve discovered is a real thing. That little no-no is actually plainly stated in the program’s guidelines.

So that puts Facebook in the position of being technically correct about withholding a reward for Shreateh. But it’s a decision that apparently doesn’t sit well with a lot of people, nonetheless.

And some of them are doing something about it.

On Tuesday, ZDNet’s Michael Lee spotted the GoFundMe campaign to raise some cash for Shreateh. It was started on Monday by BeyondTrust CTO Marc Maiffret, who kicked in $3,000 to get the ball rolling.

As Lee reports, Firas Bushnaq, the founder of BeyondTrust property eEye Digital Security, added another $3,000 and then it was off to the races—in less than 24 hours, contributors have taken the fund all the way to its $10,000 goal and beyond.

As of Tuesday evening, the tip jar for the man who hacked Mark Zuckerberg contained $10,320.

Advertisements

Zuckerberg’s account hacked to prove Facebook bug exists

A Palestinian information system expert says he was forced to post a bug report on Mark Zuckerberg’s Facebook page after the social network’s security team failed to recognize that a critical vulnerability he found allows anyone to post on someone’s wall.

The vulnerability, which was reported by a man calling himself ‘Khalil,’ allows any Facebook user to post anything on the walls of other users – even when those users are not included in their list of friends. He reported the vulnerability through Facebook’s security feedback page, which offered a minimum reward of US$500 for each real security bug report.

However, the social network’s security team failed to acknowledge the bug, even though Khalil enclosed a link to a post he made on the timeline of a random girl who studied at the same college as Facebook CEO Mark Zuckerberg.

“Sorry, this is not a bug,” Facebook’s security team said in response to Khalil’s second report, in which he offered to reproduce the discussed vulnerability on a test account of Facebook security expert.

Facebook announces Embedded Posts, copies yet another Twitter feature

Facebook says it has started rolling out a much wanted feature – embedded posts. This new Facebook feature will allow users to post Facebook posts on other Web pages.

“Embedded Posts let people add public posts from Facebook to their blog or web site. When embedded, posts can include pictures, videos, hashtags and other content. People can also like and share the post directly from the embed,” Facebook software engineers Dave Capra and Ray He said in a post introducing embedded posts on Facebook.

Though not all Facebook posts are embeddable, only those posts whose privacy settings are set to public can be embedded.

Facebook announces Embedded Posts, copies yet another Twitter featureThis new Facebook Embedded Posts feature will allow users to embed Facebook posts on other Web pages.

Facebook Embedded Posts is currently limited to the content posted by a few news publishers and Facebook says broader availability is coming soon.

Embedded Posts is only the latest in the long list of Twitter features that Facebook has aped. The last major feature that Facebook copied from Twitter was the hashtag.

While Twitter users have been on their own using the # symbol as a prefix to a word or phrase to group related tweets for quite some time, Twitter began hyperlinking hashtags from July 2009 and Facebook began rolling it in June 2013.

That blue and white icon with a check mark is a much desired badge on Twitter. So what if even a fake account can flaunt one? It was only last month that Facebook announced its own blue check mark for “authentic accounts of celebrities and other high-profile people and businesses on Facebook.” Twitter’s verified account feature dates back to 2009. Though unlike Twitter, Facebook will verify authentic identities on its own and users cannot request to have a profile or Page verified.

One big difference between Facebook and Twitter was that Facebook required consent from both users for one to get updates from the other, while on Twitter an one-sided action would suffice. With the ‘Subscribe’ button, introduced in September 2011 (and renamed to ‘Follow’ in December 2012) Facebook let its users receive posts from other Facebook users, even from those they are not friends with. Quite like Twitter.

@mentions pre-dates Twitter, but its usage gained popularity with the rise of Twitter. While Twitter added support for @mentions (or @replies or tagging) in May 2008, Facebook’s integration came more than a year later in September 2009.

That’s not all. Twitter had this feature, where hovering over a username would display an information box with the users’ details (Twitter has now changed the action from rollover to click) and this, obviously, found its way into the Facebook user experience.

If you are in the mood for some micro-inspirations, here’s one. Twitter no longer asks you to tweet “What are you doing?” (it has switched to “What’s happening?” for quite some time now) and when Facebook went for a redesign in August 2008 it added prominence to its status update feature and began asking users, “What are you doing right now?”. Note the similarity?

It’s not that Twitter didn’t seek inspiration elsewhere. It did and continues to do. So does Google+. The problem with this feature aping is that the competing social networks are slowly becoming clones of one another, feature by feature. Soon there might be little to tell them apart from their brand names.