Bengaluru hacker finds Facebook bug, gets Rs 10 lakh reward

White hat hacker Anand Prakash found a simple bug in Facebook, which if exposed, could be a user’s worst nightmare. A security flaw in the website could let anyone access accounts through tweaking the reset password code.

The social media giant acknowledged the issue promptly, fixed it and rewarded Mr Prakash $15,000, considering the severity and impact of the vulnerability.

Mr Prakash, who’s been an active participant in Facebook’s bug bounty programme, where individuals receive recognition and compensation for identifying and reporting bugs in a website, said he came across the vulnerability in Facebook website, where hackers could access a user’s messages, photos and even debit/credit card details stored in the payments section.

Talking to this newspaper, Mr Prakash explained the nature of the bug, adding that he used his own account to test the vulnerability.

Typically, Facebook sends a six-digit code to registered phone number and email for a user trying to reset forgotten password. Mr Prakash tried to use a brute-force search attack, which involves exhaustive search using trail and error for multiple times. However, after 10-12 incorrect passwords, the website blocked Mr Prakash for any further attempts.

However, when Mr Prakash tried doing the same procedure on beta version of Facebook, used by testing community for performance evaluation, he realised that the number of attempts limitation for incorrect password was missing. He then used an exhaustive search method to try multiple permutations and combinations to find the correct six-digit key.

“It’s very easy to brute force a six-digit key. I got the correct key and access to reset a new password in the 899th attempt,” Mr Prakash said.

Mr Prakash sent the bug report to Facebook security team on February 22 and received an e-mail about the reward on March 2.

A security engineer at Flipkart, 23-year-old Prakash has been actively contributing to Facebook and other websites for their bounty programmes, highlighting bugs with major impact. Mr Prakash ranked 4th and 3rd in Facebook’s bounty programme for finding maximum bugs in the year 2015 and 2014, respectively. He had also won a prize amount of $12,500 for a bug he reported for Facebook last year.