He stole Facebook’s source code, but never copied, published, or sold it. Then he was arrested and imprisoned. Now released after four months in jail, Glenn Steven Mangham claims in a blog post that he’s an innocent white hat hacker who was trying to help Facebook patch security vulnerabilities.
However, Facebook responded to my request for a statement about the 26-year old’s claims with “Mr.
Mangham’s excuses have already been evaluated and rejected by a court of law, resulting in his conviction and jail time.”
Mangham says he planned to inform Facebook of the vulnerabilities, and could have entered Facebook’s White Hat program that offers security researchers protection against legal repercussions. However, Mangham was arrest after possessing the source code for three weeks without informing Facebook. Is he telling the truth, or lying through his teeth?
Here’s how the hack went down. Starting April 27th, 2011 from his bedroom in his parents house in Acomb, York, England, Mangham spent two weeks hacking into Facebook using a variety of software. Through Facebook’s Programming Challenge where potential hires can try solving puzzles, Mangham hacked in and gained access to Facebook employee Stefan Parker’s account. He used the staff member’s privileges to access internal servers. There he discovered the site’s source code and downloaded it from America back to the U.K.
Spooked by signs that Facebook was on to him, he claims he was scared to disclose his intrusion to Facebook. Facebook’s White Hat Responsible Disclosure Policy reads,
“If you believe you’ve found a security vulnerability on Facebook, we encourage you to let us know right away. If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.”
Three weeks after nabbing the code, the FBI and British law enforcement arrested him in an investigation Facebook said cost it $200,000. Mangham says he’s suspicious of such a high cost, noting “I cannot understand how it took 3 weeks and $200,000 dollars to look in the Apache access log, get my IP address, perform some sense checking and request the record from my Internet Service Provider.” >>Read more