A white hat hacker in India says he found a way to hack into any Facebook user’s profile. Don’t freak out though! Like a good white hat, the hacker alerted Facebook to the disastrous loophole. Facebook paid him a $15,000 bug bounty. Seems small.
Anand Prakash is the aforementioned security engineer from India. In a blog post tauntingly titled “How I could have hacked all Facebook accounts,” Prakash explains how he discovered a way of exploiting Facebook’s “Forgot Password?” algorithm to force his way into anybody’s account and uploaded a proof-of-concept video that shows the exploit. Prakash also provided a screenshot of his bug bounty payment from Facebook.
Facebook, who’s worked with Prakash before to sniff out bugs, released the following statement to Gizmodo: “One of the most valuable benefits of bug bounty programs is the ability to find problems even before they reach production. We’re happy to recognize and reward Anand for his excellent report.”
As you probably know, if you’ve forgotten your password, Facebook will text or emailed a six-digit confirmation code to plug into the site so that you can reset the password and access your profile. Facebook allows people several attempts to enter the code correctly before they get locked out. It’s a technique called rate-limiting, which essentially prevents identity thieves from simply going down the list of all possible number combinations in order to eventually crack the code. This hacker technique is called brute forcing.
The problem is that Facebook’s beta sites (like beta.facebook.com) didn’t have that rate-limiting function in place. And so Prakash brute-forced his way into someone’s account since the beta site gave him an unlimited number of attempts to enter that six-digit confirmation code. Check out Prakash’s YouTube video for the whole play-by-play.
After successfully resetting the user’s password, Prakash says he was “able to view messages, his credit/debit cards stored under payment section, personal photos, etc.” This is exactly the type of data you wouldn’t want a hacker to steal.
Melanie Ensign, Security Communications rep at Facebook, told me in a phone interview that the bug was actually only in the wild for 72 hours—the beta site, too, is usually protected by brute force hacks that bypass rate-limiting. But the error appeared when Facebook was performing a system change on the back end, leaving the beta site temporarily vulnerable.
Prakash says he discovered the vulnerability and reported it to Facebook on February 22. By March 2, Facebook awarded him $15,000. Without confirmation from Facebook, there’s always the chance that this is some very elaborate hoax. However, Facebook does indeed have serious vulnerabilities and pays hackers a bounty for discovering them. A year ago, Gizmodo reported on a very similar sort of story about a white hat hacker and a bug that allowed him to delete any photo on the social network. Facebook confirmed that exploit and the resultant bounty after we published our story, so we’ll see what Zuck and company decide to do this time around.
Update, 1:00 p.m. EST: Included statement from Facebook and context from a phone interview.
Contact the author at firstname.lastname@example.org.