Bengaluru: White-hat hacker Anand Prakash found a simple bug in Facebook, which if exposed could be a user’s worst nightmare. A security flaw in the website could let anyone access accounts through tweaking the reset password code.
The social media giant acknowledged the issue promptly, fixed it and rewarded Prakash $15,000, considering the severity and impact of the vulnerability.
Prakash, who’s been an active participant in Facebook’s bug bounty programme, where individuals receive recognition and compensation for identifying and reporting bugs in a website, said that he came across vulnerability in Facebook website, where hackers could access a user's messages, photos and even debit/credit card details stored in the payments section.
Speaking to Deccan Chronicle, Prakash explained the nature of the bug, adding that he used his own account to test the vulnerability. Typically, Facebook sends a six-digit-code to registered phone number and email for a user trying to reset forgotten password. Prakash tried to use a brute-force search attack, which involves exhaustive search using trial and error for multiple times. However, after 10-12 incorrect passwords, the website blocked Prakash for any further attempts.
However, when Prakash tried doing the same procedure on beta version of Facebook—used by testing community for performance evaluation—he realized that the number of attempts limitation for incorrect password was missing. He then used an exhaustive search method to try multiple permutations and combinations to find the correct six-digit key.
“It’s very easy to brute force a six-digit key. I got the correct key and access to reset a new password in the 899th attempt,” Prakash said. Prakash sent the bug report to Facebook security team on February 22 and received an e-mail about the reward on March 2. A security engineer at Flipkart, 23-year-old Prakash has been actively contributing to Facebook and other websites for their bounty programmes, highlighting bugs with major impact.
Prakash ranked 4th and 3rd in Facebook’s bounty programme for finding maximum bugs in the year 2015 and 2014, respectively. He had also won a prize amount of $12,500 for a bug he reported for Facebook last year. Prakash’s blogpost also include references to bugs he’s identified earlier for Facebook and Zomato.
So, what was the bug Prakash found?
The 23-year-old was trying to find out if somebody could hack into a Facebook user’s account. How would a hacker do that? In the scenario Prakash tried, a hacker trying to break into your FB account knows your login ID – the email ID that you use to log in to the site – but does not know your password. What he could then do is try the ‘forgot password’ option. When he does that, though, Facebook sends a one-time six-digit password to your email ID and mobile phone.
The hacker does not have access to it, but what if he could guess the password that FB sent to you! That’s exactly what Prakash tried, on Facebook’s beta website, and managed to crack in the 899th attempt, using an automated way to keep on trying different passwords. If a hacker succeeded in such a ‘brute-force’ attempt, he would not only have your login ID, but now also the password that would allow him to reset your password and hijack your FB account.
