Thanks to the vulnerability, a malicious hacker could potentially reset a user’s password and then access all parts of their account on the social messaging platform, including messages, photos, and credit and debt card information under the payments section.
Instead, the flaw was discovered first by Bangalore-based security researcher Anand Prakash, who promptly notified Facebook in February, saving the company face.
If a user forgets their password, Facebook sends out a six digit code to a user’s email address or phone number when they request a new one, something which could potentially be hacked by brute force if given unlimited attempts. While Facebook’s main site has a limit of 10-12 attempts at typing in the correct code, Prakash noticed that its beta sites did not, and was the able to break into his own account, set a new password for the account ‘brute forcing’ the code through these sites.
He showed his proof of concept on a video on his blog, before Facebook verified the issue and rewarded him.
$15,000 seems like a measley bounty considering the massive publicity disaster that the company avoided. Facebook issues bug bounties based on the damage they could do, and a bug like the one discovered by Prakash, while relatively simple, could potentially allow attackers full access to any account.
329 people have received a bounty so far, including professional researchers, students and amateurs. The youngest receipient was 13 years old, and the largest bounty to date was $33,500, paid out to a Brazillian security researcher in 2014. Because it was a ‘remote code execution vulnerability’ that allows attacks to throw malware at surfers visiting a vulnerable website, it was categorised by Facebook as the most serious category of risk.
The next biggest was $20,000 paid out to a British researcher back in 2013, who discovered it was possible to trick Facebook’s text verification system into sending a password reset code for another person’s account.