A white hat hacker in India says he found a way to hack into any Facebook user’s profile. Don’t freak out though! Like a good white hat, the hacker alerted Facebook to the disastrous loophole. Facebook paid him a $15,000 bug bounty. Seems small.
Anand Prakash is the aforementioned security engineer from India. In a blog post tauntingly titled “How I could have hacked all Facebook accounts,” Prakash explains how he discovered a way of exploiting Facebook’s “Forgot Password?” algorithm to force his way into anybody’s account and uploaded a proof-of-concept video that shows the exploit. Prakash also provided a screenshot of his bug bounty payment from Facebook. (Gizmodo has reached out to Facebook for comment and will update this post when we hear back.)
As you probably know, if you’ve forgotten your password, Facebook will text or emailed a six-digit confirmation code to plug into the site so that you can reset the password and access your profile. Facebook allows people several attempts to enter the code correctly before they get locked out. It’s a technique called rate-limiting, which essentially prevents identity thieves from simply going down the list of all possible number combinations in order to eventually crack the code. This hacker technique is called brute forcing.
The problem is that Facebook’s beta sites (like beta.facebook.com) didn’t have that rate-limiting function in place. And so Prakash brute-forced his way into someone’s account since the beta site gave him an unlimited number of attempts to enter that six-digit confirmation code. Check out Prakash’s YouTube video for the whole play-by-play.
After successfully resetting the user’s password, Prakash says he was “able to view messages, his credit/debit cards stored under payment section, personal photos, etc.” This is exactly the type of data you wouldn’t want a hacker to steal.
Prakash says he discovered the vulnerability and reported it to Facebook on February 22. By March 2, Facebook awarded him $15,000. Without confirmation from Facebook, there’s always the chance that this is some very elaborate hoax. However, Facebook does indeed have serious vulnerabilities and pays hackers a bounty for discovering them. A year ago, Gizmodo reported on a very similar sort of story about a white hat hacker and a bug that allowed him to delete any photo on the social network. Facebook confirmed that exploit and the resultant bounty after we published our story, so we’ll see what Zuck and company decide to do this time around. [The Hacker News via Anand Prakash]