Facebook has awarded a sum of $15,000 (roughly Rs. 10 lakhs) to an India-born security researcher. Anand Prakash received the bug bounty from Facebook after disclosing a vulnerability in the social juggernaut's website that enabled an attacker to gain access to anyone's account.
Prakash discovered a vulnerability on Facebook website that allowed him to change the user account password for any account. He reported the vulnerability to Facebook last month and the company has since patched it. Prakash has now shed light on the vulnerability, and also demonstrated it in works on a video.
The security hole resided in company's developer portal, beta.facebook.com, which is designed for developers to perform tests before rollout to the general public. Facebook sends users a 6-digit code over email or text message upon password reset request. To prevent abuse or potential ill intents, Facebook allows only a certain number of attempts. Turns out, over at the beta website, a user could make any number of guesses.
In a blog post, Prakash wrote that he utilised Burp Suite, a popular testing tool. Prakash noted that because it's only a six-digit number, and brute forcing password is possible, it was not impossible to crack into someone's account, guessing the reset password.
"[...] I looked out for the same issue on beta.facebook.com and mbasic.beta.facebook.com and interestingly rate limiting was missing on forgot password endpoints," he wrote in a blog post. "I tried to takeover my account ( as per Facebook's policy you should not do any harm on any other users account) and was successful in setting new password for my account. I could then use the same password to login in the account."