Indian Hacker Finds Facebook Bug, Gets Rewarded $15000
A thought must have prevailed in your mind that how to hack Facebook accounts, but that’s just a thought in real life it’s actually next to impossible but Bengaluru-based Anand Prakash found a Facebook bug which may have done the same thing.
There was vulnerability with the password reset method that allowed the hacker to brute force any account and which could have been used to hack into any user account easily without any user interaction. Facebook has now fixed this flaw and awarded $15,000 Facebook bug bounty to Bengaluru-based Anand Prakash.
This Facebook bug could give full access to view messages, credit/debit cards stored under payment section, personal photos etc.
As per Vulnerability found by Anand Prakash when a user Forgets his password on Facebook, he has an option to reset the password by entering his phone number/ email address on https://www.facebook.com/login/identify?ctx=recover&lwv=110
,Facebook will then send a 6 digit code on his phone number/email address which user has to enter in order to set a new password. He tried to brute the 6 digit code on www.facebook.com and was blocked after 10-12 invalid attempts.
Intrestingly he looked the same Facebook bug on beta.facebook.com and mbasic.beta.facebook.com and limiting was missing on forgot password endpoints.
He tried to takeover his account and was successful in setting new password for his account. Also he was able to use the same password to login in the account, states the description of the issue mentioned by Anand Prakash on his post.
Facebook bug bounty Awarded to Anand Prakash
Facebook has acknowledged the issue and fixed it. The hacker was rewarded $15,000 (approximately Rs 10 lakh) considering the impact of the vulnerability.
Anand Prakash has discovered vulnerabilities in and has been acknowledged and rewarded by several big IT companies around the world including Facebook, Twitter, Google, RedHat, Dropbox, Adobe, eBay, Paypal, Coinbase, LaunchKey, Nokia, Mailchimp, ManageWP, Gliph, PikaPay, Bitmit, LocalBitcoins.com, Blackberry, SoundCloud, Angel.co, HackerOne, Active Prospect.