Bengaluru based hacker finds Facebook Bug
Anand Prakash, a Bengaluru-based hacker has been awarded $15,000 (approximately Rs 10 lakh) for finding a bug in Facebook’s login system. The bug, if exploited, could let hackers access a user’s messages, photos and even debit/credit card details stored in the payments section, among others.
Prakash sent the bug report to the Facebook security team on February 22 and received a mail about the reward on March 2.
However, Prakash said in his blog post:
Facebook acknowledged the issue promptly and fixed it.”
Prakash wrote about bug on his blog:
Whenever a user forgets his password on Facebook, he has an option to reset the password by entering his phone number/ email address on https://www.facebook.com/login/identify?ctx=recover&lwv=110, Facebook will then send a 6 digit code on his phone number/email address which user has to enter in order to set a new password.
I tried to brute the 6 digit code on www.facebook.com and was blocked after 10-12 invalid attempts. Then I looked out for the same issue on beta.facebook.com and mbasic.beta.facebook.com and interestingly (the) rate limiting was missing on forgot password endpoints. I tried to take over my account (as per Facebook’s policy you should not do any harm on any other users account) and was successful in setting new password for my account. I could then use the same password to login in the account.”
Many other technology giants along with Facebook, run bug bounty programmes to encourage independent ethical hackers to try and crack their security code in order to identify vulnerabilities in the system. In 2015, the social media giant paid a total of $936,000 to 210 researchers for finding bugs.
About Anand Prakash:
Anand Prakash, Born in Bhadra – Rajasthan, went to Vellore Institute of Technology to pursue his B Tech in computer science engineering. Prakash has earned over Rs 1 crore so far by finding such bugs and has reported over 80 bugs to Facebook alone. In 2015, he was ranked No. 4 and globally by Facebook for finding the most bugs on the social networking website.
Currently, Anand Prakash working as a security analyst at Flipkart.
Major companies that have paid him for finding bugs in their code include Google, Twitter, Adobe, RedHat, SoundCloud, Nokia, PayPal and eBay, among others.
His award of $15,000 was towards the high end of the payment spectrum as the average payout for identifying bugs in the system in 2015 was $1,780. Hackers from India, Egypt, and Trinidad & Tobago lead the bounty payout programme.
Keep visiting here for more stuffs like this 🙂
Thank your for your patience 🙂