Skip to main content

Facebook pays $15,000 bounty to close bug that can access any user’s account

facebook jobs tab woman using
Image used with permission by copyright holder
A major flaw in Facebook’s account security has been brought to light by a security researcher, who has received a cool $15,000 payout from the social network for his efforts.

Anand Prakash spotted the flaw, which allowed him access to any user’s account on the platform, last month. The bug was related to the Facebook account reset process, which results in the site sending a six-digit PIN to a user’s phone to be used as a temporary password.

Recommended Videos

Usually, the individual resetting an account is granted approximately 10-12 wrong password guesses. Prakash noticed that those security measures were missing from the Facebook beta site for developers, where every single user account is also readily available. Consequently, the bug allowed Prakash to seemingly flood the site with PIN guesses, and hack into any account he wanted.

Please enable Javascript to view this content

Instead of exploiting the flaw, however, Prakash notified Facebook through its report vulnerability page. The following day, the social network confirmed that the bug occurred due to a change to the beta page a few days earlier. Although Facebook assures that the flaw was not misused in that time frame, it still felt compelled to pay the $15,000 bug bounty to Prakash.

The resulting award and Facebook’s rapid response in stamping out the bug hints at the major risk involved. It may not have been the most complicated security issue, but it could have resulted in complete chaos if utilized through the site’s main page.

“One of the most valuable benefits of bug bounty programs is the ability to find problems even before they reach production,” Facebook said in a statement to The Verge. “We’re happy to recognize and reward Anand for his excellent report.”

Since its inception, Facebook’s bug bounty program has forked out over $4 million to hackers and security researchers for responsibly disclosing issues in its system.

Saqib Shah
Former Digital Trends Contributor
Saqib Shah is a Twitter addict and film fan with an obsessive interest in pop culture trends. In his spare time he can be…
I paid Meta to ‘verify’ me — here’s what actually happened
An Instagram profile on an iPhone.

In the fall of 2023 I decided to do a little experiment in the height of the “blue check” hysteria. Twitter had shifted from verifying accounts based (more or less) on merit or importance and instead would let users pay for a blue checkmark. That obviously went (and still goes) badly. Meanwhile, Meta opened its own verification service earlier in the year, called Meta Verified.

Mostly aimed at “creators,” Meta Verified costs $15 a month and helps you “establish your account authenticity and help[s] your community know it’s the real us with a verified badge." It also gives you “proactive account protection” to help fight impersonation by (in part) requiring you to use two-factor authentication. You’ll also get direct account support “from a real person,” and exclusive features like stickers and stars.

Read more
Here’s how to delete your YouTube account on any device
How to delete your YouTube account

Wanting to get out of the YouTube business? If you want to delete your YouTube account, all you need to do is go to your YouTube Studio page, go to the Advanced Settings, and follow the section that will guide you to permanently delete your account. If you need help with these steps, or want to do so on a platform that isn't your computer, you can follow the steps below.

Note that the following steps will delete your YouTube channel, not your associated Google account.

Read more
How to download Instagram photos for free
Instagram app running on the Samsung Galaxy Z Flip 5.

Instagram is amazing, and many of us use it as a record of our lives — uploading the best bits of our trips, adventures, and notable moments. But sometimes you can lose the original files of those moments, leaving the Instagram copy as the only available one . While you may be happy to leave it up there, it's a lot more convenient to have another version of it downloaded onto your phone or computer. While downloading directly from Instagram can be tricky, there are ways around it. Here are a few easy ways to download Instagram photos.

Read more