Researcher: Facebook Ignored The Bug I Found Until I Used It To Hack Zuckerberg
Adam Rifkin stashed this in Hacker News!
Julie Bort write:
Shreateh says he tried a second time to warn Facebook and when that didn't work, he used the bug to post a message to Mark Zuckerberg's Wall.
The message said, "Sorry for breaking your privacy ... but a couple of days ago, I found a serious Facebook exploit" and explained that Facebook's security team wasn't taking him seriously.
That worked and fast. Within minutes a Facebook security engineer contacted Shreateh and asked for details on how he did it, Shreateh says.
In a post on Hacker News, Matt Jones from Facebook's security team said that once the team understood the bug they acted quickly, "We fixed this bug on Thursday."
They also temporarily suspended Shreateh's account and said they wouldn't pay him the bounty fee because, by posting to Zuck's account, he violated Facebook's terms of service. Then the Facebook team asked him to continue to help them find bugs, he says.
Commenters are split on whether Facebook ripped off Shreateh or not. Facebook says that Shreateh didn't include enough technical info when he tried to report it the bug. You can't just demonstrate the bug, you have to explain how it works.
On the other hand, he wouldn't have hacked Zuck's account if the security team had asked him for more details the first two times he tried to report it.
Facebook's full comment on what happened is posted on Hacker News.