

Palestinan Khalil Shreateh sits in front of his his computer at his home in the West Bank town of Yatta, Monday, Aug. 19, 2013 (Photo: Nasser Shiyoukhi/AP)



Photo of Aaron Swartz on Khalil’s facebook page

This is a great story that has gotten a lot of attention in the tech community. A Palestinian hacker named Khalil Shreateh kept reporting a bug in the Facebook code to Facebook, but techs blew him off. Finally he hacked Mark Zuckerberg’s page to post the bug there, along with an apology. “Sorry for breaking your privacy. I has no other choice… as you can see iam not in your friend list and yet i can post to your timeline.”

All hell broke loose, and Facebook cut off Shreateh’s Facebook page and also refused to give him the reward Facebook advertises for techies who discover glitches. The hacker community stepped up and rallied to reward him via a fundraising campaign on GoFundMe that has already raised over $11,000.

And now the hacker– who has used the portraits of Edward Snowden and the late Aaron Swartz, above, in his profiles– has become a global folk hero, and Zuckerberg has egg on his Facebook.

The story has been propelled by Shreateh’s devilish chops, sense of humor, and English. “Hello guys, this will be English and Arabic,” the bilingual youth wrote, in a viral video on the “exploite” that he put together to prove that he’d discovered the glitch.

AP says Shreateh has been inundated by job offers from all over the world, and his reactivated Facebook page, which now features his own portrait, lists his business representatives.

I can only imagine the political dimensions of this story. Shreateh lives in occupied Yatta, a city in the West Bank that is a core site for warehousing people who are being moved off their lands. And as Alex Kane noted to me, all Palestinian stories are political:

In the U.S., we’ve been trained to views Palestinians crudely; I imagine if you ask Americans what’s the first thing you think of when you think of Palestine, they would say Islamists, Hamas or war. But Shreateh is a reminder that this is a sophisticated society, one of the most highly educated in the world. Of course elements of Palestinian society are still tied to traditional ways of living–and there’s of course nothing wrong with that–but Palestinians are a part of our world, our hyperconnected Internet-infused world.

Right, that’s what’s thrilling about Shreateh. He destroys stereotype, and does it with brilliance, mischief, and some good oldfashioned resistance.

OK, some of the facts. From a tech site: “Snubbed by Facebook, Security researcher hacks Mark Zuckerberg’s Facebook page.”

Although Shreateh’s Facebook account was soon reactivated, he was told he wouldn’t qualify for Facebook’s bug-bounty program, which rewards researchers who find security flaws with payments ranging from $500 to $5,000. “We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service” by making an unauthorized posting to a member’s page, the email message Shreateh received said. “We do hope, however, that you continue to work with us to find vulnerabilities in the site.” To Shreateh, who says on his blog that he’s unemployed, this was unfair. “I could sell” the exploit in underground malware bazaars, he told CNN in an interview. “I could make more money than Facebook could pay me.”

If you go to Khalil’s blog, “Facebook vulnerability 2013,” he tells the story himself. He gives his address as “Yatta-Hebron/Palestine,” and his job as “unemployee :/”

Days ago i discovered a serious facebook vulnerability that allows a facebook user to post to all facebook users timeline even they are not in his friend list .

His account of the “exploite” is charming. At one point he used a Zuckerberg friend’s facebook page to try and get his message across.

Sarah Goodin is the girl that was in the same college with Mark Zuckerberg .

Apparently, Palestinians don’t have Harvard worship.

Then here’s some of his traffic with facebook techs:

as usual they ignored my replay so i did report another , this email shows their replay to my second report including the report : Hi Ḱhalil, I am sorry this is not a bug. Thanks, Emrakul Security Facebook

Well after a couple of these notes, Khalil proved his point by going to Zuckerberg’s page.

i know that you guys now know that it’s a bug for sure after facebook.com/ola deactivate my account which is& i want my account back soon as possible , as i report the bugs for you and i didnt use another fake accounts or test accounts to break privac

Facebook didn’t accept his story, and Shreateh called B.S. on it.

i replay back that facebook report page has a ” prove concept ” and i cant prove without sending pictures or video . that is bullshit after my second report i record this video which shows the exploit , i was rush recording it cause they was able to close that exploit in any second :

Here is that video account of his “exploite”, showing a computer screen. It’s gone viral, 360,000 views, complete with the adorable exploding-hearts-graphic as Shreateh’s marker.

A commenter explained to Khalil that “reply” is not spelled “replay.”

He responded:

whatever , i dont care for miss spelling , just the idea , i never correct an underline red word ;)

Richard Odekerken, technical director of VANAD Laboratories in Rotterdam, sought to counsel him too:

Ḱhalil you should realize that making so many grammar and spelling mistakes causes you to be taken less seriously by the rest of the world.

Ondrej Zastera celebrated him:

Hi Ḱhalil, you made a serious discover that could affect millions of people and you didn’t abuse it. You did the opposite thing – you reported it to the qualified persons. The level of understanding is relative. If something is unclear, questions should be raised. You were obviously ready to co-operate. No matter what, you deserve a certain kind of reward for sure. Facebook statement is just a shameful excuse for not giving it to you. You deserve a credit, not a disrespectful treatment we see here.

AP managed to get a photo of Shreateh (above) in Yatta and describes the job offers.