Indian Hacker Gets $15,000 For Reporting Facebook Bug
Anand Prakash, an Indian hacker, came across a flaw in Facebook account security, and reported it to Facebook’s Security Vulnerability page. Facebook fixed the issue within a day and for Mr. Prakash’s honesty, handed him a bounty of $15,000.
How Did He Do It?
Mr. Prakash said he was hacking accounts using the “Forgot Password” option. When you forgot your password, you can only reset it after Facebook emails or text you the six digit pin code to reset it. The code can be entered for a limited number of times before it is locked in a process called rate-limiting.
Facebook uses rate-limiting to prevent the use of another technique hackers use, which has come to be known as brute force. They use a composition of multiple numbers to get the right code and reset the password. However, this protection was not available on Facebook’s beta site, beta.facebook.com. This gave Mr. Prakash numerous attempts to crack the pin code and reset the password.
Anand Prakash hacked his own account and uploaded a video of it on his blog as proof. Once hacked, he could see the account’s debit/credit card transactions, messages, and photos.
In its statement to Gizmodo, Facebook thanked Anand Prakash for reporting the bug, saying: “One of the most valuable benefits of bug bounty programs is the ability to find problems even before they reach production. We’re happy to recognize and reward Anand for his excellent report.”
Last month, British bounty hacker, Jack Whitton, was given $7,500 as bounty, by Facebook, for reporting how an image can be embedded with a code, to hack an account. This was the second time Mr. Whitton had received cash from the company. His first bounty earned him a whopping $20,000 in 2013.
The Bug Bounty Program was announced in 2011 to incentivize hackers to report shortcomings in the website’s security. Facebook has awarded $4.3 million to over 800 researchers under the initiative. $936,000 was paid as bounty just in 2015.
Source | TechNewsToday