A brilliant hacker from India found a dangerous weakness in Facebook’s “Forgot Password?” algorithm that can be exploited to gain access to any profile. Instead of utilizing it to do harm, he notified Facebook about the loophole and was rewarded a cool $15,000.
Security engineer Anand Prakash detailed his accomplishment in a blog post, explaining his discovery and methods on exploring the social network’s vulnerability. He also uploaded a video proving his exploit along with a screenshot of his prize from Facebook.
White hat hackers, such as Prakash, are people who are paid to hack into computer networks to test or evaluate its security systems. Prakash has previously worked with Facebook on identifying bugs in its website.
“One of the most valuable benefits of bug bounty programs is the ability to find problems even before they reach production,” Facebook told Gizmodo in a statement. “We’re happy to recognize and reward Anand for his excellent report.”
In Facebook’s standard password recovery steps, if a user forgets a password, Facebook will text or email a six-digit confirmation code connect into the website so that the password can be reset and the profile can be accessed. The website lets its users attempt to enter the code correctly several times before they are locked out.
Facebook’s beta sites, such as beta.facebook.com, however, don’t have that lock-out function in place. Prakash exploited this loophole to force his way into someone’s account since the beta site gave him an unlimited number of attempts to enter that six-digit confirmation code.
After the successful account break-in, Prakash said he was “able to view messages, his credit/debit cards stored under payment section, personal photos, etc.”
Facebook, like any other website, has system vulnerabilities and has paid bug bounties to hackers to sniff out the bugs for them.