Facebook rewarded a Bengaluru-based hacker after he discovered a flaw in the social networking site's login system that could have let hackers access any account without users' consent. Anand Prakash, who works as a security analyst at Flipkart, was rewarded $15,000 (approximately Rs 10 lakh) for reporting the bug, which was instantly patched by Facebook engineers.
"Whenever a user forgets his password on Facebook, he has an option to reset the password by entering his phone number/email address and Facebook will then send a 6 digit code on his phone number/email address, which can be used in order to set a new password," Prakash wrote in his blog on Monday. But Prakash found that Facebook's beta sites did not have a limit for entering PINs used for password resets.
Usually, Facebook's account reset tool blocks the attacker after 10-12 invalid attempts, but Prakash was able to manipulate the scripts on beta.facebook.com and mbasics.beta.facebook.com and lift the limit on PINs used for password resets. Prakash was then able to gain admin access to the hacked account, was able to reset password, read messages, view debit/credit cards stored under payments and photos.
"Brute forcing the "n" successfully allowed me to set [a] new password for any Facebook user," he wrote. But Prakash demonstrated the hack on his own account instead of others, which also qualified him for Facebook's bug bounty programme reward.
Facebook beta programme is used by testers on a wide range of devices to find any bugs, which could help the world's largest social networking platform to improve the site's performance and security without affecting the main platform.
Prakash sent the bug report to Facebook's security team on February 22 and found the issue was resolved the next day. The bounty of Rs 15 lakh was awarded on March 2.
Facebook started the bug bounty programme in 2011 and has paid out over $1 million in rewards to 330 security researchers around the world. The company also has its own Hall Of Fame to recognise the contributions of the researchers who helped in making the site more secure. The minimum reward under the programme is $500, while the company has offered as much as $33,500 depending on the discovery of the bug and its overall impact.
In 2016, Facebook has already listed 13 researchers on its Hall of Fame. Surprisingly, Prakash's name does not appear in the list.