Chang Chi-yuan is something of a minor celebrity in Taiwan, having regularly publicised security holes in online services, and even appeared on TV talk shows describing how boredom has driven him to “dabble” in hunting for bugs in the hope of earning cash through bounties.
His past activities have seen him recognised in, for instance, on the “Hall of fame” page of Japan’s popular Line messaging service
But perhaps Chang Chi-yuan became most notorious when he was reportedly sued for hacking into a Taiwanese bus operator and buying a ticket for just one Taiwanese dollar (equivalent to a mere US $0.03). Perhaps unsurprisingly, the bus company was not amused.
More recently Chang has claimed to have found a loophole in Apple Pay that allowed him to buy 500 iPhones for just one Taiwanese dollar.
The method Chang might use to erase Mark Zuckerberg’s Facebook page hasn’t been shared in advance, but it certainly wouldn’t be the first time that such a high profile page on the social network has been targeted.
For instance, in 2013 a Palestinian researcher defaced Zuckerberg’s page after becoming frustrated that Facebook’s security team had not taken his claims of a security vulnerability seriously.
Facebook’s security chief ultimately admitted that his team had made mistakes, but still refused to pay the researcher a bounty.
But what Chang is suggesting is different. He is not only claiming that he will completely take down Zuckerberg’s Facebook page, but he’s announcing his plans in advance, and is planning to stream his attempt live on the internet.
This not only alerts Facebook’s security team to the potential for an attack this weekend, but also who is behind it.
With such an audacious announcement, one would hardly find it surprising if Facebook chose to take action beforehand such as – perhaps – shutting down the researcher’s Facebook account. Of course, Chang could probably create another Facebook account – but one still needs to remember that unauthorised modification of Zuckerberg’s Facebook page is a criminal offence.
If you believe you have found a vulnerability in a product or online service, the responsible thing to do is to report it to the company concerned, and work with them to have it fixed in a responsible timely fashion.
The wrong thing to do is hack into the company without their permission to demonstrate the flaw. That might raise your profile on TV stations, but could result in you ending up in legal hot water.
It remains to be seen if Chang keeps his promise and attempts to hack into Mark Zuckerberg’s Facebook page. No doubt there will be some people, especially in light of recent Facebook revelations, who will be cheering him on.
My advice, however, would be that he should cancel his plans and communicate directly with Facebook’s security team rather than engage in such a stunt.