Hacker discovers MASSIVE flaw on Facebook. Receives $15,000
This week a man discovered he could have accessed practically any Facebook account that he wished, just by exploiting one single very simple flaw in Facebook’s security defenses.
Needless to say, in terms of security flaws, that’s a whopper. Luckily for all of us, and especially luckily for Facebook, that man was Anand Prakash, a security researcher from India, a bug bounty hunter who discovers and reports bugs for a living.
Known as ‘white hat’ hacking, computer gurus like Prakash compete in bug bounty programs professionally. These programs are offered by large websites like Facebook, who invite computer gurus to try and discover security flaws. If someone finds a security flaw, they report it to Facebook, who pay them a reward to say thank you.
The bigger the reward, the more serious a flaw they found. Prakash got $15,000 for the flaw he found. That’s a lot of money. It means the flaw he found was very serious.
And of course it was. Being able to gain access to any Facebook account he wished is the mother of all security flaws. But how did he do it?
In reality, the flaw was extremely simple. Well, for a security researcher that is. Prakash took advantage of the ‘reset password’ feature.
If you forget your password, you can click on the ‘Forgot Password’ link, and Facebook will send you a reset PIN consisting of 6 digits to the email address or phone number that is associated with your Facebook account. You can then use that 6 digit PIN as your password to login to your account and then change your password to something more secure.
Sponsored Content. Continued below...
On the normal Facebook website, once you request the PIN, you can enter it along with your username to regain control of your account. However if you guess the PIN wrong around 10 times, Facebook prevents any more tries, to stop people using what is known as a ‘brute force’ attack, where you basically guess every combination of 6 digits (using special software, of course!) until you get it right.
However on beta.facebook.com – a special version of the Facebook website used by developers – that 10 try limit wasn’t present. Now, while many of us probably don’t use beta.facebook.com, our profiles can be accessed on it. Try typing it into your web browser.
So what Prakash found he could do was target any Facebook email (username) he liked, select the ‘forgot password’ link so the 6 digit PIN was sent to that users email or phone number. Then Prakash would head over to beta.facebook.com and use a brute force attack to get the correct PIN number and subsequently access the account.
Given the obscurity of some of the flaws reported to Facebook and other websites every single day, this flaw was actually stunningly simple. Let’s all be thankful that it was discovered by one of the good guys first.