Hacker Gets $15,000 Bounty For Solving Major Bug with Facebook
The hacker managed to crack a major bug in Facebook that could have severely impacted any user.
Hackers can make big money by finding backdoors for Facebook, Google, and even Twitter – it helps the companies detect and close security loopholes. The amount is a reflection of the companies’ effort and the risk which has been thwarted.
The Bangalore-based hacker was rewarded with $15,000 by Facebook for cracking a login-related bug which could have had catastrophic implications for users of the social networking site.
What Was the Issue?
Apparently, the hacker, Anand Prakash, was able to infiltrate into various Facebook accounts by resetting the password which gave him the following details. Facebook has admitted to the breach, and in return awarded him the bounty.
This post is about a simple vulnerability found on Facebook which could have been used to hack into other users’ Facebook accounts easily without any user interaction. This gave me full access to other user accounts by setting a new password.Anand Prakash, Facebook bounty winner
Facebook Login Under Threat
Whenever a user forgets his password on Facebook, he has an option to reset the password by entering his phone number/email address and Facebook will then send a 6 digit code on his phone number/email address, which can be used in order to set a new password.Anand Prakash, Facebook bounty winner
But that’s not all, Anand then looked out for the same issue on
beta.facebook.com and mbasic.beta.facebook.com, and
interestingly found the rate limiting was missing on forgot password endpoints.
To check the outcome, Anand decided to hack his own account and set a new password for it. After successfully doing so, he used the same password to login in the account which set the alarm bells ringing.
Once he alerted Facebook about the discovery, the social networking giants duly replied to Anand and thanked him for his findings.
Subscribe To Our Daily Newsletter And Get News Delivered Straight To Your Inbox.