According to a Daily Dot post today, a benevolent hacker named Khalil Shreateh found a bug in Facebook’s privacy settings, and informed the company about it in a rather unconventional way. After many failed attempts to get through to reps, he posted his findings on Mark Zuckerberg’s wall.
While he thought the company might express gratitude by dishing out a cash reward it gives so-called “white hat hackers,” Facebook ended up causing him grief:
…the reward was not forthcoming. Instead, Facebook shut down his account for violating the site’s terms of service.
He eventually convinced Facebook to restore his account, but he couldn’t talk the company into a White Hat payout, although Facebook engineers acknowledge he discovered the bug.
“Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it. We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue. When you submit reports in the future, we ask you to please include enough detail to repeat your actions.
“We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site,” wrote the Facebook employee who restored Shreateh’s account.
Typical Silicon Valley libertarianism – cheating Shreateh out of money, while inviting him to continue to do work on the company’s behalf.
Shreateah can count himself lucky that he won’t end up behind bars, though. His story is somewhat similar to that of Andrew “Weev” Auernheimer, the benign troll who was sentenced to 41 months in prison for, essentially, embarrassing AT&T:
Using a program called “account slurper,” which Weev didn’t even write himself, he collected these emails and then sent them to Gawker — just to prove a point, he insisted. Like any good troll, Auernheimer did it to get a rise out of people, telling Gawker’s Adrian Chen that he thinks the breach wasn’t “a big deal” and that “What made it big is the way I presented it.” At a press conference before his sentencing, Auernheimer reiterated that point: “I’m going to jail for doing arithmetic,” he said. Really, all he did was collect e-mail addresses, something that a lawyer told Chen does not at all break the law. And yet, because of the now famously harsh penalties for “unauthorized access” in the Computer Fraud and Abuse Act, Weev is facing several years in prison for a felony crime.
It sucks you got bucked by the Zuck, Khalil. But be careful next time! Causing important tech execs to blush can land you in prison in America.
