Facebook gives Bengaluru hacker Rs10 lakh for finding flaw

09 Mar 2016

A Bengaluru-based hacker, Anand Prakash, recently found a critical flaw in Facebook's login system that could have been used by miscreants to hack into other user's Facebook accounts, putting as many as 1.6 billion users of the social media platform at risk.

The vulnerability he found could apparently give a hacker full access to another's account without any actual user interaction, writes Prakash on his official blog.

"Whenever a user forgets his password on Facebook, he has an option to reset the password by entering his phone number or email address. Facebook will then send a 6 digit code on his phone number or address which user has to enter in order to set a new password. I tried to brute the 6 digit code on www.facebook.com and was blocked after 10-12 invalid attempts," he said.

He then proceeded to beta.facebook.com and mbasic.beta.facebook.com with the same issue and interestingly found "rate limiting was missing on "forgot password" endpoints". He was able to successfully set a new password for his account and then used the same password to login to the account.

The flaw could give a hacker full access to a user's "messages, his/her credit/debit cards stored under payment section, personal photos etc".

According to Anand, Facebook has acknowledged the issue and fixed it. Anand who works at Flipkart as a security engineer has also been awarded $15,000 (over Rs10 lakh) by the social media giant for bringing the vulnerability to light.