Hacker: I pwned Zuckerberg; at least give me a stupid T-shirt

When Facebook fails to pay $500 bug bounty, hacker goes public -- by hacking Zuckerberg's Facebook account

1 2 Page 2
Page 2 of 2

Still, I can think of a few things Shreateh could have done if he'd decided to go rogue or sell the exploit on the Internet's black market, all of them worth a hellovalot more than 500 bucks:

  • Use it to generate Facebook spam to millions of users.
  • Use it to generate links to a drive-by malware installation site.
  • Use it to run a scam targeting specific users, à la the "I'm stranded in London please send money" con that cost at least one gullible Facebook user in Missouri $4,000.
  • Use it to impersonate a famous person -- say, Mark Zuckerberg -- and make some coin by posting bogus statements that could drive his company's share price up or down momentarily.

In the grand scheme of things, posting a sincere note to Zuckerberg's wall is a pretty benign way of making a point.

Pay now or pay later

This is an increasingly common, if controversial, tactic among security researchers. In May, Google announced it was now going to give Microsoft a week to respond to private notifications of critical flaws before going public with them -- a response to Microsoft's blatant foot dragging in fixing holes (possibly at the behest of the NSA).

Facebook is also notorious for failing to respond quickly to public concerns over privacy and security -- or queries from journalists, for that matter. I'd estimate that maybe a third of the questions I've sent to Facebook over the years have ever garnered any response.

I totally get Shreateh's frustration. I also get that Facebook would rather not encourage researchers to post their exploits to real accounts, especially those of its founding CEO.

But would it rather have Shreateh bring his next exploits over to the dark side? How much would it cost Facebook in the long run if he and his security wonk brothers changed the color of their hats from white to black? In the face of that, $500 is a steal.

Would you pay Shreateh the money? Tell me why or why not below or email me here: cringe@infoworld.com.

This article, "Hacker: I pwned Zuckerberg; at least give me a stupid T-shirt," was originally published at InfoWorld.com. Follow the crazy twists and turns of the tech industry with Robert X. Cringely's Notes from the Field blog, follow Cringely on Twitter, and subscribe to Cringely's Notes from the Underground newsletter.

Copyright © 2013 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
How to choose a low-code development platform