For an Indian security researcher, an accidental hole in Facebook’s security setup turned out to be a happy accident indeed.
The social network’s bug bounty program handed Anand Prakash a $15,000 reward after he told Facebook about a password flaw that could have let hackers sign into user accounts with little effort.
The flaw, since fixed by Facebook, was a simple vulnerability that gave the researcher access to Facebook accounts “without any user interaction,” Prakash said in a blog post Monday. Prakash was able to access the full range of information saved in an account, including messages, photos, videos and financial information stored in Facebook’s payment section.
Begun in 2011, Menlo Park, California-based Facebook’s bug bounty program rewards researchers, hackers and others for reporting security flaws to the company. The world’s largest social network isn’t alone in tapping the hive mind for help in keeping things locked down. Google, Microsoft and other tech companies offer similar programs, which have sprung up over the last several years as cybercrime has become ever more frequent and damaging.
Prakash explained in his post that missing security protocols in some versions of Facebook made it possible for hackers to reset account passwords without the legitimate owner’s knowledge.
When you forget your Facebook password, you can use the website’s password reset feature to recover access. You identify the account you’re talking about by entering your phone number, email address, username or actual, full name. Facebook then sends a six-digit code to you for verification, and you have to enter it to create a new password.
Facebook’s main website prevents hackers from requesting a reset for a given account and then simply running a program to guess the code without actually having to receive it from the social network. The site blocks the account after 10 to 12 failed log-in attempts. But on the beta pages beta.facebook.com and mbasic.beta.facebook.com the scenario played out differently for Prakash. The security researcher said “rate limiting,” or the anti-brute-force measure on the main website, was missing from the other domains.
It was then short work for Prakash to brute-force attack his own account as a test bed and successfully set up a new password, granting himself access to the account and everything stored within.
Prakash notified Facebook of the vulnerability on February 22. Because the flaw was serious and easily within the skill range of many cyberattackers, Facebook rapidly tested and acknowledged the flaw, patching the problem and giving Prakash his bounty as a reward for responsible disclosure.