I'm not sure how Facebook was supposed to know this was a vulnerability. If you look at the actual conversation it looks like Khalil is reporting the ability to post on other people's walls as a vulnerability.
In the first email, Khalil simply says that he can post to Sarah Goodin's facebook wall. He makes no mention of the fact that he and Sarah Goodin aren't friends.
The Facbook engineer replies that he is unable to see anything from the link that Khalil sent. This is because the engineer and Sarah are not friends.
Khalil responds with a screen shot of the post. Again, Khalil makes absolutely no mention that he and Sarah are not friends at all. In fact, at this point it would appear that Khalil is friends with Sarah, as he states that only her friends can see her wall. I guess he is able to see the post he made though.
At this point, Khalil decides that the only course of action is to go post on MZ's wall. How is that sort of escalation appropriate? By paying Khalil at this point, all you are doing is telling people that MZ's account is a an acceptable place to report vulnerabilities, which is a horrible precedent to set.
I'm surprised you're not taking him to task for his poor grammar, sentence structure and obvious misspellings. To say "replay" when he means "reply", how the hell did his accent make it into his writing? Quite obviously his reports were ignored.
Most certainly, this chap should have followed proper decorum by consistently petitioning Facebook to pay heed, by filling out the necessary forms and ensuring a stamped, self-addressed envelop was also included should they choose to write to him at a later time.
And then to go and expound his savagery to the Noble CEO's account, an utter insult to civility indeed!
(Yes! I'm being sarcastic)
I don't know why you are being sarcastic. I don't make one mention of Khalil's grammar. I understand that everyone's first language isn't english, but Khalil isn't even making an effort to be clear or accurately communicate what the problem is.
In the comments of the blog post, Khalil admits that it isn't that he has a poor understanding of the english language, it is just that he doesn't care.
> whatever , i dont care for miss spelling , just the idea , i never correct an underline red word ;)
So we have a guy that doesn't give a crap about communicating correctly, who then complains when he is not understood.
My views below are not directed at you individually.
Through my sarcasm I was trying to convey the often imperialistic (and in my opinion useless douchebaggery) view we tend to take on certain matters and people, which, I believe, hinders communication and progress in general. It's not just a language barrier, it's a cultural barrier. One that exists even between people who speak the same language. (Don't know if the social media movie scene with Zuckerburg being reprimanded by Harvard was based on real events or pure fantasy, but that's a good example)
So he ignored some squiggly red lines, maybe his command of English is marginal. Maybe he's worried about bullets possibly flying over his head in a few minutes or in a situation that many of us in the west couldn't fathom. I've had to communicate in Spanish before and I know I probably slaughtered the grammar, spelling and more, but at that time I was trying to convey an important message. Fortunately the people I was speaking with were very kind and patient. They listened and somehow understood the sentences and symbols I had cobbled together.
We have this whole attitude that if someone doesn't fit our cultural context in language or behavior, their are somehow inferior, is absolute BS. I have seen programmers with a an accent perceived as being "dumb", while in fact they were far better than their peers. I myself have been subjected to this type of bias, when I forgot to follow some proper decorum somewhere, simply because I was broke and had more important things on my mind. This is typical of out-of-touch monolithic institutions and the type of thinking that goes with it. It's outright absurd and funny, just like my sarcastic comment :)
You are correct, I completely missed that. However, he again fails to provide any sort of explanation of what he did to perform the attack. Even if he had reverted back to his native language, he never even attempts to explain what he did to perform the attack.
In the first email, Khalil simply says that he can post to Sarah Goodin's facebook wall. He makes no mention of the fact that he and Sarah Goodin aren't friends.
The Facbook engineer replies that he is unable to see anything from the link that Khalil sent. This is because the engineer and Sarah are not friends.
Khalil responds with a screen shot of the post. Again, Khalil makes absolutely no mention that he and Sarah are not friends at all. In fact, at this point it would appear that Khalil is friends with Sarah, as he states that only her friends can see her wall. I guess he is able to see the post he made though.
At this point, Khalil decides that the only course of action is to go post on MZ's wall. How is that sort of escalation appropriate? By paying Khalil at this point, all you are doing is telling people that MZ's account is a an acceptable place to report vulnerabilities, which is a horrible precedent to set.