Supporters crowdfund a reward for the Palestinian developer who hacked Facebook
A Palestinian white hat hacker became a hero in his village
yesterday for hacking Mark Zuckerberg’s Facebook page to reveal a
critical bug.
Today, the news about Khalil Shreateh continues to circle the
globe, revealing that the hacker, from Yatta, a town south of
Hebron in the West Bank, was initially rebuffed by Facebook’s
security team.
“I don’t see anything when I click [that] link except an error,”
one security team member wrote when Khalil initially posted on the
Facebook page of Sarah Goodin, a Harvard classmate of Zuckerberg’s
and the
first woman to join Facebook.
Yet Shreateh was adamant that he get the point across; after all,
as he told CNN in a
powerful interview, the bug’s implications were far worse for
Facebook than having users see the odd potential post from a
non-friend.
“To find a way to post to other Facebook users’ timelines, this is
dangerous,” Shreateh said. “This is so dangerous, because it will
allow people to make public ads without paying Facebook money.” If
spammers could post ads at will, it could cripple Facebook’s ad
program.
To demonstrate the bug, Shreateh then posted on Mark Zuckerberg’s
wall: “First, sorry for breaking your privacy and post to your
wall, I has no other choice to make after all the reports I sent to
the Facebook team.” (Read Khalil’s blog post in English and
Arabic for
the full story).
A security team member contacted him with minutes, disabling his
account. Shreateh’s account is now re-enabled, but he has not been
awarded the bounty typically awarded to white hat hackers who
demonstrate code vulnerabilities to Facebook.
The reasoning, Matt Jones of Facebook’s security team explained on Hacker
News, was that Khalil’s initial demonstration of the bug was
not well understood, and he had not followed the rules, which state
that hackers must “make a good faith effort to avoid privacy
violations,” and “use a test account instead of a real account when
investigating bugs.”
“We welcome and will pay out for future reports from him (and
anyone else!) if bugs are found and demonstrated within these
guidelines,” Jones concluded.
In Yatta, where Khalil lives, receiving the $500 to few thousand
dollar payout that Facebook’s Bug Bounty program typically offers
would have been life-changing; unemployment is above 22% in Yatta,
and he hasn’t found a job in two years. While he’s now received job
offers from hackers who want to exploit the bug, he’s turned down
those offers, he told CNN.
Now, members of the online community are taking the situation
into their own hands. Marc Maiffret, the Chief Technology Officer
at BeyondTrust, a leading security and compliance management
company, has launched a page to support Shreateh on
crowdfunding site GoFundMe.
With a goal of $10,000, it’s raised over $7,250 so far, and will
likely reach its goal by the end of the day.
“All proceeds raised from this fund will be sent to Khalil Shreateh
to help support future security research. Khalil Shreateh found a
vulnerability in Facebook.com and, due to miscommunication, was not
awarded a bounty for his work. Let us all send a message to
security researchers across the world and say that we appreciate
the efforts they make for the good of everyone,” says Maiffret, who
is famous himself for hacking Microsoft’s software (after waking up
to FBI agents
pointing guns at his head at the age of 17, he went on to
become a leading white hat hacker).
Members of the Palestinian tech community have responded in
support, posting in both the PalGeeks and
Peeks
communities.
“I feel proud of any achieving Palestinian… I feel proud about
Palestinian hackers… esp[ecially] white hats, because I do not have
to rationalize their behavior,”
said Tareeq Abdeen, a graduate of George Mason University
living in East Jerusalem.
“Even though it’s wrong from Facebook[‘s] point of view, posting
on Zuckerberg’s wall was freakin’ awesome… This dude is a genius!”
said Rasha Rasem Khatib, one of Palestine’s leading coders
who’s working to
build a coding culture in Palestine, especially among
women.
“I think they [should] hire him[;] it is much better than giving
him the $500 reward,” said Lamees Abdeljalil, a graduate of Birzeit
University.
It looks like Shreateh will receive far more recognition- and
reward than Facebook’s Bug Bounty program.
“With great power comes great responsibility. Thank you for
exercising both,” one donor wrote on the wall of his GoFundMe page.