Facebook has rewarded ethical hacker Anand Prakash from India a bounty of $15000, or Rs 10 lakh, for discovering a bug which could have been used to hack into any account on the social networking website. Prakash reported the vulnerability on February 22 this year. It was fixed by the company on February 23, following which it awarded the aforementioned amount to the Bangalore-based security engineer.
How the hack works
If a user forgets their Facebook account’s password, they can select the option to reset it by submitting the phone number or email address tied to that ID. When such a request is made, a 6-digit code is automatically sent to the individual’s mobile or mail address. They can then enter those 6 numbers in the provided box and reset their password.
Even if a hacker does not have access to the phone or email ID belonging to the person whose Facebook account they’re attempting to take over, they can initiate a ‘password reset request’ and try to guess the 6-digit code sent to the concerned user. But due to rate limiting, the would-be attacker will be blocked after 10 to 12 tries.
Interestingly, Prakash found the same security policy was not applied to the beta version of Facebook. Rate limiting was absent on forgot password endpoints here, as explained in his blog post. Following Facebook’s guidelines which insist that no harm must be done to another user’s account, he tried to hack into his own profile.
With Burp Suite software, Prakash launched a brute force attack and succeeded in resetting the password to his account. He could then sign in with the new password. Though the bug would have affected only the beta version of Facebook, it’s still a big deal. Because even if it is generally used by software developers, it allows anyone to log in.
So Prakash could have exploited the vulnerability to hack into anyone’s account. But he chose to do the responsible thing and notify Facebook about it.