Just recently, security researcher Anand Prakash discovered a major vulnerability in the account security features of Facebook. There’s nothing to worry about though. As a white hat hacker, Prakash alerted the largest social network of the loophole found in its system.
Whenever an account is reset on the popular social network, the system sends a PIN to the user’s smartphone as a temporary password. However, while the company usually stops its users after a series of failed attempts, Prakash learned that the protective measures were absent on beta.facebook.com, where developers normally test new features that aren’t yet prepared for the the wider audience. Since all accounts are also readily available on beta.facebook.com, the flaw let Prakash bomb the page with PIN attempts until he breaks into an account.
“Whenever a user forgets his password on Facebook, he has an option to reset the password by entering his phone number or email address upon https://www.facebook.com/login/identify?ctx=recover&lwv=110, Facebook will then send a 6 digit code on his phone number/email address which user has to enter in order to set a new password. I tried to brute the 6 digit code on www.facebook.com and was blocked after 10-12 invalid attempts,” explained Prakash in his website.
The flaw was the result of a change made to the beta page a couple of days earlier. It wasn’t exploited to much extent before Prakash discovered it. He reported it through the official report vulnerability page, with the company quickly issuing a fix. The company then awarded him a hefty AU$20,223 (US$15,000) as a prize for discovering the flaw.
“One of the most valuable benefits of bug bounty programs is the ability to find problems even before they reach production,” said the company in a statement. “We’re happy to recognize and reward Anand for his excellent report.” The Verge reported that Facebook has made more than US$4.3 million (AU$5.8 million) in payouts to more than 800 researchers since the bug bounty program began in 2011.