The researcher reported a vulnerability allowing him to access anyone’s Facebook password
In February, a computer programmer named Anand Prakash from India who works for Flipkart discovered a vulnerability on the popular social media network Facebook that allowed him to access users Facebook account without so much as a hassle.
The flaw acts on the fact that, when a user loses their password on Facebook, they can request for a new one if they know their username, email or phone number. Facebook then sends a 6 digit code to either the users phone or their email which then allows them to use the code as a temporary password.
[q]The researcher found it a piece of cake to access users Facebook account[/q]
Normally after a number of attempts to log in with failure Facebook usually locks the account and, therefore, makes it hard for people without the correct information to hack into someone’s account. They also change the code after every request. Mr. Prakash, however, noticed that on the beta version of the social media network beta.facebook.com, which is usually used by developers for trial runs of their new features, the security measure was not there. The same number of accounts on the main version are also available on the beta version. This gave him the chance to potentially hack into any account he wanted.
Mr. Prakash said the software had been available to everyone to hack and the only requirement needed to be the knowledge of one’s username. This is, however, easy to get as you can see it if you go to look at someone’s profile. For example, the founder of Facebook, Mark Zuckerberg’s own username is “zuck”.
Mr. Anand demonstrated how he had managed to hack into his own account and been able to read all the private messages and private files in his Facebook account without any problems. Fortunately, he did the good thing and reported it because a flaw of this magnitude would have been too hard to control.
The bug had come as a result of an update by Facebook and luckily was not heavily exploited before Mr. Prakash had done the right thing. For his efforts, the computer programmer got a bounty reward of $15,000 in accordance with Facebook’s bounty program rules.
Analysts claimed that the money might have been too much but according to Facebook rules, payouts are based on risk, impact and other factors. There is no doubt that this flaw would have impacted Facebook on a higher level so the reward seems to be justified and Facebook rightly judges it as such.
In a statement, Facebook said “One of the most valuable benefits of bug bounty programs is the ability to find problems even before they reach production. We are happy to recognize and reward Anand for his excellent report.” It’s reported that Facebook has paid out more than $4.3 million in payouts who have discovered bugs in the bug bounty program.