A security researcher has been awarded a $15,000 bug bounty by Facebook barely a week after reporting an apparently simple but high-risk vulnerability which theoretically allowed him access to every user’s account.
Bangalore-based Anand Prakash discovered a serious flaw on the developer sites beta.facebook.com and mbasic.beta.facebook.com, he revealed in a blog post.
Specifically, on these sites there was no limit set on how many times a user could guess the one-time, six-digit code sent by Facebook via email or text to reset a user account.
On the regular Facebook site, the limit is set to 10-12 invalid attempts, but on these beta sites there was none, meaning Prakash could launch a brute force attack to crack the code and gain entry to a user’s account, he said.
Given that every Facebook user’s account is available from these sites, it could have allowed him to hack anyone on the social network.
Prakash explains the following in a summary:
“This post is about a simple vulnerability found on Facebook which could have been used to hack into other user's Facebook account easily without any user interaction. This gave me full access of another users account by setting a new password. I was able to view messages, his credit/debit cards stored under payment section, personal photos etc.”
The issue was reported to Facebook in late February via the regular channels and fixed the next day, with a $15,000 reward sent out just eight days later.
Although it might have been easy to spot and carry out, the speed with which Facebook fixed the bug and issued the bounty highlights the potential seriousness of the flaw.
The social network’s bug bounty explanatory page claims: “Due to the volume of reports that we receive … we prioritize evaluations based on risk and other factors, and it may take some time before you receive a reply.”
The minimum reward for finding vulnerabilities in Facebook, Instagram or its other related businesses is $500, although there’s no note on how much the firm is prepared to spend to reward researchers.