Facebook refuses to pay $500 to hacker who reported bug because he “violated the TOS”

Someone at Facebook is going to have some explaining to do to the boss. On Facebook only your friends are supposed to be allowed to post to your wall and that’s only if you have set up the permissions to allow it.

A Palestinian hacker found a vulnerability that allows anyone to post to another user’s timeline whether they’re friends or not. Khalil, a systems information expert from Palestine, discovered the exploit and tried to report it to Facebook’s security team…twice.

Facebook has a program where they offer hackers a minimum of a $500 reward for reporting vulnerabilities. To prove that he could do it, Khalil posted an Enrique Iglesias video to Sarah Goodin’s wall. Sarah is just some random girl that Zuck went to college with.


The problem is that Facebook’s security team didn’t seem to understand exactly what Khalil was talking about and told him this was not a bug. He even warned them that he could post to Zuckerburg’s wall and that didn’t seem to sink in either.

Obviously annoyed they responded, “Ugh!!! you can’t see that post unless you’re a friend of sarah,” and simply, “this is not a bug”.

So…he posted to Zuckerberg’s wall.

In less than a minute his Facebook account was suspended and he was contacted by a Facebook engineer requesting all the details of the exploit. This is the email he received from them.

Dear Khalil,

Facebook disabled your account as a precaution. When we discovered your activity we did not fully know what was happening. Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it. We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue. When you submit reports in the future, we ask you to please include enough detail to repeat your actions.

We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site.

We have now re-enabled your Facebook account.

Security Engineer

Of course, it’s all his fault, the security team couldn’t have said, “Yeah we see what you’re talking about we need some more technical information.” Khalil tried at least two times to contact them and both times, if you read the conversation, they just totally blow him off. Facebook just isn’t paying up because Zuckerberg got embarrassed.

Khalil’s blog

Posted by James Poling

A socialist, tinkerer, thinker, question asker and all around curiosity seeker. If you'd like to reach me you can use the contact link above or email me at jamespoling [at] gmail [dot] com.


  1. Nobody Important August 18, 2013 at 10:15 pm

    Screw facebook.
    It will not exist in 5 years anyhow.



    1. It will probably exist it’ll just be like MySpace is today. Barren and depressing.



      1. It’s not that way already?



        1. It’s not barren yet, they still get a ton of traffic. It’s depressing as hell though.


Speak Your Mind

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s