Nothing is supposed to show up on your Facebook Wall unless it's posted by you or your friends, but it can happen, as Khalil Shreateh just proved.
By posting on Mark Zuckerberg's wall.
Shreateh, a security researcher from Palestine, first reported the bug to Facebook, which pays people to report such things rather than sell them on the black market.
But, instead of fixing the bug and paying the researcher the $500+ fee, Facebook told him "this was not a bug," according to an email that Shreateh shared.
When he tried a second time to warn the company and was rebuffed, Shreateh posted on the Wall of Sarah Goodin - a friend of Facebook CEO Zuckerberg.
That got their attention REALLY fast.
The message said, "Sorry for breaking your privacy ... but a couple of days ago, I found a serious Facebook exploit" that the social network wasn't taking seriously.
Within minutes, a Facebook security engineer took it seriously, contacting Shreateh (and his Edward Snowden avatar) and asking for details on how he did it.
Matt Jones from Facebook's security team said after the fact that once the team understood the bug they acted quickly, "We fixed this bug on Thursday."
They also temporarily suspended Shreateh's account and said they wouldn't pay him the fee because, by posting to Zuck's account, he violated the terms of service.
The Facebook team asked for his help finding future bugs, however. Natch.
Commenters online are split on the matter. Facebook says that Shreateh didn't include enough info when reporting it ... as in how to actually do it and fix it.
On the other hand, he wouldn't have hacked Zuck's account if the security team had asked him for more details the first two times he tried to report it.
What do you think? Should he be paid the bounty? And should he have better utilized the prank potential of this by posting about Demi Lovato nude or something?
Share your take on the situation with us in the comments.