Anand Prakash spotted the flaw, which allowed him access to any user’s account on the platform, last month. The bug was related to the Facebook account reset process, which results in the site sending a six-digit PIN to a user’s phone to be used as a temporary password.
Usually, the individual resetting an account is granted approximately 10-12 wrong password guesses. Prakash noticed that those security measures were missing from the Facebook beta site for developers, where every single user account is also readily available. Consequently, the bug allowed Prakash to seemingly flood the site with PIN guesses, and hack into any account he wanted.
Instead of exploiting the flaw, however, Prakash notified Facebook through its report vulnerability page. The following day, the social network confirmed that the bug occurred due to a change to the beta page a few days earlier. Although
The resulting award and Facebook’s rapid response in stamping out the bug hints at the major risk involved. It may not have been the most complicated security issue, but it could have resulted in complete chaos if utilized through the site’s main page.
“One of the most valuable benefits of bug bounty programs is the ability to find problems even before they reach production,” Facebook said in a statement to The Verge. “We’re happy to recognize and reward Anand for his excellent report.”
Since its inception, Facebook’s bug bounty program has forked out over $4 million to hackers and security researchers for responsibly disclosing issues in its system.
