The way Facebook privacy works is that if your profile isn’t set to public, only those people can post on your wall who you have added in your friends list. a self-titled Palestinian security expert, Khalil Shreateh, says that he discovered an exploit in Facebook that would let anyone post on anyone’s wall. He says that the exploit was reported to Facebook through their bug reporting tool, but they didn’t pay any heed and said that his discovery was not a bug. Determined to raise awareness, Shreateh went ahead and posted on Facebook CEO Mark Zuckerberg‘s wall, who obviously did not have him on his friends list. Within minutes of posting, he was contacted by a security engineer.
He was asked for further details about this exploit, meanwhile his account was disabled possibly because a greater security risk might have been perceived. They’ve since fixed the exploit and enabled Shreateh’s account, but he’s not going to be paid for this disclosure. Like many companies, Facebook pays whitehat researchers for exploits and bugs that they report. The payout is at least $500. Shreateh is said to have violated Facebook’s terms of service, since he did use the exploit to post on someone’s wall without their consent. One could make the argument that had he not posted on Zuckerberg’s wall, the exploit may have been used to spread spam across the social network. Should Facebook decide to cut Shreateh some slack on this?