The Palestinian IT expert submitted a number of reports to Facebook’s security team, as typically only friends should be able to share links with other accounts. Khalil eventually received a response from a Facebook employee stating that they could not identify the reported ‘breach’. Khalil’s attempts to clarify his error report were ignored.
To draw attention to the the bug, Khalil opted instead to share a link with Facebook CEO Mark Zuckerberg along with details of the exploit. This extreme method had the intended impact, and within minutes Khalil was contacted by a software engineer from the social network. The hacker’s account was temporarily disabled while the Facebook team examined and ‘closed’ the security hole. The process was documented on Khalil's blog.
Khalil is what is known as a ‘white hat’ or ethical hacker. In contrast to the malicious activities generally associated with computer hackers, white hats aim to identify security holes and alert the owners of the sites in question before the bug is taken advantage of - to cooperate rather than maliciously attack. Facebook actively support white hat hackers that operate within their terms of service, and provide financial rewards - or a ‘bug bounty’ - of at least $500 to anyone who successfully identifies a significant security hole. According to one commenter alleging to be a member of a Facebook security team, this has so far resulted in payouts of over $1 million. Anyone can also set up a ‘test account’ to try and replicate or confirm any possible bugs.
The white hat terms of service request hackers “give [Facebook] a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research”. Given that Khalil breached privacy guidelines and used real rather than test accounts to illustrate his point, Facebook are currently resisting paying him any bug bounty. However, the alleged Facebook engineer admits “we should have pushed back asking for more details” after the initial reports.
Khalil has uploaded a video illustrating the now-fixed exploit:
