“First sorry for breaking your privacy and post to your wall,” an apparent screenshot of the hack reads. “I has [sic] no other choice to make after all the reports i sent to Facebook team.”
The break-in, detailed on Shreateh’s blog (and in several agitated posts from Facebook developers on Hacker News), has been more than a little embarrassing for Facebook.
But it’s not exactly newsworthy that Shreateh found a bug — that happens all the time. In fact, Facebook runs a program that encourages white hat hackers to find and report bugs in Facebook infrastructure in exchange for a cash reward. What is unusual is that Facebook didn’t respond to Shreateh’s initial reports about the bug, and that Shreateh then exploited it in violation of Facebook’s policies for white hat hackers.
“The more important issue here is with how the bug was demonstrated using the accounts of real people without their permission,” insisted Matt Jones, a Facebook software engineer, on the forum Hacker News. “Exploiting bugs to impact real users is not acceptable behavior for a white hat.”
