A major flaw in Facebook’s account security has been brought to light by a security researcher, who has received a cool $15,000 payout from the social network for his efforts.
Anand Prakash spotted the flaw, which allowed him access to any user’s account on the platform, last month. The bug was related to the Facebook account reset process, which results in the site sending a six-digit PIN to a user’s phone to be used as a temporary password.
Usually, the individual resetting an account is granted approximately 10-12 wrong password guesses. Prakash noticed that those security measures were missing from the Facebook beta site for developers, where every single user account is also readily available. Consequently, the bug allowed Prakash to seemingly flood the site with PIN guesses, and hack into any account he wanted.
Instead of exploiting the flaw, however, Prakash notified Facebook through its report vulnerability page. The following day, the social network confirmed that the bug occurred due to a change to the beta page a few days earlier. Although Facebook assures that the flaw was not misused in that time frame, it still felt compelled to pay the $15,000 bug bounty to Prakash.
The resulting award and Facebook’s rapid response in stamping out the bug hints at the major risk involved. It may not have been the most complicated security issue, but it could have resulted in complete chaos if utilized through the site’s main page.
“One of the most valuable benefits of bug bounty programs is the ability to find problems even before they reach production,” Facebook said in a statement to The Verge. “We’re happy to recognize and reward Anand for his excellent report.”
Since its inception, Facebook’s bug bounty program has forked out over $4 million to hackers and security researchers for responsibly disclosing issues in its system.