back to article Palestinian Facebook flaw-finder getting $10,000 payday in online appeal

A Palestinian IT student who spotted a serious security flaw in Facebook's coding – but was denied payment for it and booted off the social network – could be getting as much as $10,000 after members of the security community rallied around and set up an online compensation fund. Khalil Shreateh found a bug that allowed an …


This topic is closed for new posts.
  1. Silviu C.

    Next time

    Let the highest bidder get the bug... "Oh but, but people, innocent people might suffer". Yeah, F them and F facebook too.

    The sooner something nasty happens on facebook the sooner people will learn not to post their private stuff online.

    1. Anonymous Coward
      Anonymous Coward

      So many people 'HATE' Facebook

      And yet it still survives with more and more lemmings signing up to the fact.

      Even my dog has his own page.........

    2. Anonymous Coward
      Anonymous Coward

      Re: Next time

      "The sooner something nasty happens on facebook the sooner people will learn not to post their private stuff online."

      I hate to say it, but I came to that conclusion too. It's human nature that people won't care until something nasty visibly happens to someone else in a similar position, and they learn not to make the same mistake.

      Remember that story a while back about a lesbian in America being inadvertantly outed to her homophobic father due to the consequences of Facebook's wilfully complex (and inadequate) privacy settings?

      As far as I'm concerned, it was desirable that this happened- or rather, was seen to have happened- to her. Purely because the consequences were still far less dangerous than they would be to someone in a part of the world where people are routinely persecuted or even murdered for their sexuality, such as parts of the Middle East or Jamaica.

  2. Anomalous Cowshed

    This kind of attitude is wrong

    A man discovers a massive black hole in the coding and security of the core mission-critical process of a mega multicorp. Dutifully and in good faith, he informs the multicorp of this flaw, and he modestly claims the bounty of $500 that is officially on offer to those who find any serious bugs in their systems. Instead of kissing his feet in gratitude, the multicorp refuses to pay him and then slams the door in his face.

    What kind of justification is there for such an attitude?

    If you treat the bona fide white hat researchers/bounty hunters like this, it's not hard to see how they might decide to dye their hats another, darker shade, and start to take advantage of their insight and ingenuity to make a whole load more cash than the $500 bounty offered for reporting such a fundamental flaw. Imagine how much money someone might make just by threatening to go public with such flaws, let alone trying to exploit them for darker and more covert purposes...

    1. Don Jefe

      Re: This kind of attitude is wrong

      You don't have look too hard for this kind of arrogance in plenty of developers. The attitude seems to be directly proportional to the size/recognition of their employer: "Nothing is wrong with our stuff, the stupid users are just idiots".

      I'm not arguing that most users aren't idiots, but I do believe that this sort of attitude is harmful to the entire technology profession. Nobody likes the arrogant asshats of the world, no matter how smart they may be.

    2. Nate Amsden Silver badge

      Re: This kind of attitude is wrong

      not knowing what kind of person Zuck is myself, I can't help but wonder if he is the type of person to throw a huge hissy fit over having someone "hack" his feed/timeline thingie, and the security group doesn't want to potentially piss him off again by paying the guy that found it. I think most of the CEOs I have worked for would not of taken this sort of thing kindly. Zuck being a developer maybe he is different.

      Perhaps people on the security team are those involved in this "industry" donation thing, to pay him on the side or something.

      I think it would of been cooler had the guy leveraged a bot net and a few hundred/thousand dummy accounts and just spam porn all over facebook over millions of people's timelines. That would be AWESOME.

      (obviously not a FB user)

      1. Don Jefe

        Re: This kind of attitude is wrong

        Most of my previous CEO's would have just fired the security lead on the spot for allowing this embarrassment to happen. Not just the vulnerability that can be managed, but the massive PR stink. Trying to be a presence on Wall Street and being caught out over a whopping $500 and having a blazing dickhead do the apologizing just isn't the way things are done.

        Now they all look like asses and the guy who organized the fund raiser has become a hero and copped a ton of free, positive press for his business.

        Ah hell, I'd probably fire him myself.

        1. monkeyfish

          Re: This kind of attitude is wrong

          Maybe the security team could have a account. Hack it, and your bug is investigated and paid for. A bit less high profile than doing it to the CEO.

          1. Don Jefe
            Thumb Up

            Re: This kind of attitude is wrong

            That's actually a good idea!

            You should submit the lack of a public penetration account as a vulnerability that puts all Facebook users at risk. Claim your $500.

        2. Acme Fixer
          Thumb Up

          Point Taken - Re: This kind of attitude is wrong

          I wonder if anything can be read between the lines of "tightening up (our whatever)". Like I just got chewed out by the Boss because I let this slip through without catching it the first time.

          Maybe the fear of being fired will instill a bit of diligence into them and prevent it from happening again.

  3. Anonymous Coward
    Anonymous Coward

    I hate Facebook for its complete disregard for privacy, and I hate it even more for shafting someone who took the time to help them. Facebook are a nasty piece of work.

  4. Steven Roper

    I'll say it, since nobody else has the guts to

    It's extremely politically incorrect to say this, and I'll likely cop a pasting as an anti-Semite and a Nazi and all sorts from the more oversensitive and zealous commentards, but -

    Zuckerberg is a Jew. Shreateh is a Palestinian. I'd wager heavily that this political condition has at least some measure of effect in the making of Facebook's decision to refuse payment. After all, that money might be used to support anti-Israeli terrorism, no?

    There, I've got it off my chest. Let the downvotes roll in, fellas.

    1. Anonymous Coward
      Anonymous Coward

      Re: I'll say it, since nobody else has the guts to


      Are you seriously suggesting that Zuckerberg has a team watching to see if any Palestinians submit vulnerabilities just so the company can refuse them payment? Maybe you think he's reviewing the submissions personally. Perhaps there's a question on the submission form "Do you support a Zionist expansion of traditionally inhabited lands stolen from Gods chosen people by unbelievers?" - Select YES to collect your reward, select NO to declare jihad on your enemies and be reported to Mossad.

      Jesus Christ, it's shit like this that makes me wonder if people in the West just make the whole mess in the Middle East even worse. Every volatile situation is just begging for input from the village nutter, he'll make everything better!

      Have an upvote for the warning that you may be dangerously unhinged and thanks for making the world just a little bit worse.

    2. Don Jefe

      Re: I'll say it, since nobody else has the guts to

      Just out of curiosity, what's the advantage of saying something like that?

      1. Steven Roper

        Re: I'll say it, since nobody else has the guts to

        @ Don Jefe: No advantage, in fact I've probably earned a place on a few watchlists for posting that opinion. I just felt I should point it out because the possibility existed that it was a motivating factor and that mentioning it as such was likely to invoke artificial social taboos designed to silence debate.

        As to you others who felt it necessary to resort to abuse and insult, thank you for illustrating why it is necessary to oppose the proponents of political correctness, who are the very ones who use these tactics to silence discussion and dismiss opinions you don't like. What you fail to understand is that the more you abuse and deride those who don't share your worldview, the more people will oppose you, and the greater the eventual horror that will arise from that opposition. You seem to have forgotten, as so many have in the past, that carrot is more effective than stick.

        1. Bumpy Cat

          Re: I'll say it, since nobody else has the guts to

          "I bet the Jews did this!" That's pretty blatant racism there, Steven. The guy is a US citizen, but because of his ethnicity you assume that he did this evil deed. It also fits the classic anti-semitic trope of Jews controlling things. Moreover, as others have pointed out, it's a stupid suggestion too. Do you think there's some special flag in the reporting process for reports from Palestine?

          As for getting on watchlists - get over yourself. A stupid comment on a random website doesn't warrant attention from the security services, or you'd be watching most of twitter.

          Broadly speaking, where does this hostility and suspicion of Israel come from? Sure they're not perfect, but what country is? Right next door there's a civil war raging that's killed more people in two years than all Arab-Israeli wars in history.

    3. Anonymous Coward
      Anonymous Coward

      Re: I'll say it, since nobody else has the guts to

      What you say sounds reasonable. Personally, I don't think someone should be harshly criticized for pointing to a profound distrust between the two nations as this is, sadly, a well-known historical fact.

    4. Anonymous Coward
      Anonymous Coward

      Re: I'll say it, since nobody else has the guts to

      I work in an Israeli based online advertising company. We regularly pay our Palestinian, Pakistani and a variety of other customers (haven't come across an Iranian yet, if one has actually managed to use our ads, I'm sure we'd pay him). Some of them struggle to accept the payments (either no paypal or they have security coming to ask them why they are getting money from Israel), with these guys we try our best to find a way to get them paid.

      As someone above posted, idiots like yourself make these situations worse.

    5. BorkedAgain
      Thumb Up

      Re: I'll say it, since nobody else has the guts to


      I have to admit, I did have similar thoughts to Steven's when I read this story, but my inner editor redacted them after consultation with my internal legal team and feasibility consultant.

      Side note: if you're going to have voices, might as well get them organised and co-operative... ;)

    6. Anomalous Cowshed

      Re: I'll say it, since nobody else has the guts to

      It looks like your comment hit a raw nerve, but you seem to have got a bit more upvotes than downvotes, so you're in the money for now. I have a question entirely unrelated to this matter though - are you the Steven Roper who used to work for BDP in Oxford Street in the late 1980s?

  5. Levente Szileszky

    "I'm not paying you...

    ...'cause you hacked me, Sugarhill himself, biatch."

  6. mIRCat

    But we're keeping the $500!

    Don't worry Facebook the publicity is free.

  7. DeKrow

    Twice vs Once

    He submitted it TWICE following the rules. No dice. He went outside the rules ONCE and it got noticed. He should be paid for finding a flaw in their bug-reporting system if nothing else.

    If following the rules doesn't work, most IT people I know wouldn't hesitate in bending / breaking the rules to get the desired effect if they believe it will get the right answer in the end. I know I would.

    $500 is very cheap for good advertising. Withholding $500 is very expensive to look this bad.

    1. Solmyr ibn Wali Barad

      Re: Twice vs Once

      Precisely. Uncovering a flaw in the critical process (an algorithm, sort of) should also be worth something.

      Circling the wagons is definitely a wrong approach here. But we shall see.

      /popcorn icon/

    2. Pascal Monett Silver badge

      Re: "very expensive to look this bad"

      I agree with your comment, and with your sentiment as well.

      However, I have to ask : just exactly how does Facebook look worse now ? I mean, on its bottom line, of course.

      Yes Facebook has been shamed, but is that going to change anything in its monthly revenue ? Yes, people are up in arms, but are those people who contribute to Facebook's bottom line in a meaningful manner ?

      Facebook has looked very bad before (bitch!), but that has not prevented it from becoming a billion dollar industrial behemoth.

      So, regretfully, I must admit that the Zuck probably doesn't give a flying monkey's about this issue.

      And that's too bad.

      1. Don Jefe

        Re: "very expensive to look this bad"

        The answer to how they lose financially is several fold immediately:

        1) White hats will be less likely to contribute, why bother? Internal costs of finding vulnerabilities will go up substantially: Crowdsourced vulnerability testing is cheap.

        2) They put out press releases on at least three major wire services, at a bare minimum cost of at least $4k. That's an 8x direct cost increase related to damage control.

        3) Most importantly: Companies like Facebook depend solely on the goodwill of their users. There's no real lock-in of any sort. Terribly negative PR, especially that riding on the positive actions of another company is not far removed from a dog collar manufacturer bragging about how easy it is to strangle puppies using their collars. Everytime FB loses a set of eyeballs it threatens the value of their ad placement service.

        Will any of this substantially change their next quarterly statement? No. But every little bit helps, big companies never die from the fallout of just one event.

  8. wayward4now

    I just hate facebook

    There, I said that.

  9. NormDP

    Another example that the people are gold and the "state" is crap.

  10. eLeft

    Facebook should double whatever the on-line collection makes!

  11. an it guy

    have a test account?

    This coming from Facebook that would like to force us to have one account and one account only?


    1. Russ Tarbox

      Re: have a test account?

      Surely such an account is against their T&Cs as well.

  12. TwoWolves

    To all who attacked Steven Roper

    I've got news for you. A lot of people in this world don't like each other, its probably never going to stop and no matter how hard you clap your hands the fairies are going to keep dying.

    Attacking people who merely observe this is simply childish.

    1. Pascal Monett Silver badge
      Thumb Down

      I've got news for you too

      This case can be righteously denounced on its technical aspects alone.

      Continuously bringing racism in to the picture is not the adult thing to do. It only fuels the fire.

      Yes, a lot of people do not like each other. As an adult, however, one simply looks at facts to discuss a matter.

      Besides, the Zuck may be a Jew, but he is not involved in this issue. And I doubt very much that the chief of security took time to get him on the phone and ask about the case.

      Now, if the chief of security was also Jewish, this entire argument might have a leg to stand on, but it would still be immature and petty.

  13. Crisp

    Security is everyone's responsibility

    Every security flaw that can be found and eliminated is one less flaw an attacker can use to compromise a system and use it to attack more systems.

  14. unitron
    Big Brother

    Did they know he was Palestinian...

    ...when he first submitted the bug?

    If not, then it's co-incidental.

    If so, then maybe it's still co-incidental, but I'd be a little less likely to automatically assume that it was.

    BB, 'cause there's no tinfoil hat icon.

  15. Anonymous Coward
    Anonymous Coward

    Fund is past $11,250

    The fund to pay Khalil Shreateh is past $11,250. The link is

    I would suggest that playing honorably with security researchers is in FaceBook's best interest.

This topic is closed for new posts.

Other stories you might like