Khalil Shreateh' found an interesting A Palestinian Web Developer and Hacker, '' found an interesting vulnerability in Facebook, that allows hacker to bypass the Privacy settings to make a post on anyone's Timeline / Wall.





He was forced to post vulnerability details on Mark Zuckerberg (Facebook Founder) Timeline to prove his point, after the Facebook Security Team failed to recognize his critical vulnerability three times. The flaw even working for those victims, who is not included in the attacker friend list.

According to Facebook's Bug Bounty program, a researcher has to submit the flaw details via email to Facebook Security Team without disclosing the details in Public. In order to get the minimum reward of US$500, the flaw should be valid.





The reported vulnerability is in "composer.php" file on Facebook mechanism. First Khalil made a post on the timeline of a girl, "Sarah Gooden" who studied at the same college as Facebook CEO Mark Zuckerberg.

But Facebook Security Team was not able to reproduce the bug at first time and they replied,"Sorry, this is not a bug,". At last he explained his disappointing experience with the security team and flaw details on Zuck's wall to prove his report and just after that he received a response from a Facebook engineer requesting all the details about the vulnerability.



After receiving the third bug report, a Facebook security engineer finally admitted the vulnerability but said that Khalil won't be paid for reporting it because his actions violated the website's security terms of service.



