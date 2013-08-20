BOSTON Aug 20 A man who hacked into Mark
Zuckerberg's Facebook page to expose a software bug is getting
donations from hackers around the world after the company
declined to pay him under a program that normally rewards people
who report flaws.
Khalil Shreateh discovered and reported the flaw but was
initially dismissed by the company's security team. He then
posted a message on the billionaire's wall to prove the bug's
existence.
Now, Marc Maiffret, chief technology officer of
cybersecurity firm BeyondTrust, is trying to mobilize fellow
hackers to raise a $10,000 reward for Shreateh after Facebook
refused to compensate him.
Maiffret, a high school dropout and self-taught hacker, said
on Tuesday he has raised about $9,000 so far, including the
$2,000 he initially contributed.
He and other hackers say Facebook unfairly denied Shreateh,
a Palestinian, a payment under its "Bug Bounty" program. It
doles out at least $500 to individuals who bring software bugs
to the company's attention.
"He is sitting there in Palestine doing this research on a
five-year-old laptop that looks like it is half broken,"
Maiffret said. "It's something that might help him out in a big
way."
Shreateh uncovered the flaw on the company's website that
allows members to post messages on the wall of any other user,
including Zuckerberg's. He tried to submit the bug for review
but the website's security team did not accept his report.
He then posted a message to Zuckerberg himself on the chief
executive officer's private account, saying he was having
trouble getting his team's attention.
"Sorry for breaking your privacy," Shreateh said in the
post.
The bug was quickly fixed and Facebook issued an apology on
Monday for having been "too hasty and dismissive" with
Shreateh's report. But it has not paid him a bounty.
"We will not change our practice of refusing to pay rewards
to researchers who have tested vulnerabilities against real
users," Chief Security Officer Joe Sullivan said in a blogpost.
He said Facebook has paid out more than $1 million under
that program to researchers who followed its rules.