This vulnerability has been updated by Anand Prakash, Indian hacker and researcher in cybersecurity. He received $ 15,000 reward.
If it had been discovered by a malicious hacker, no doubt it would have been very expensive to Facebook. A flaw to access any account of the social network was spotted by Anand Prakash, an Indian hacker, also a researcher in cybersecurity. As a “white hat” hacker working for the good and safety, he warned on February 22 the social network, which fixed the problem the next day.
As he explains on his blog, in a post titled “How I could hack any Facebook account,” the bug touched the password reset process. Normally, thanks to the double authentication system, Facebook sends a temporary six-digit code on the user’s smartphone. After ten incorrect tests, the account is blocked.
These security measures are absent beta versions of Facebook (and beta.facebook.com mbasic.beta.facebook.com), sites used by developers and on which the hacker has updated the flaw. Through these sites, Anand Prakash has been testing millions of combinations unmolested by the limit of trials. He hacked his own to confirm this vulnerability.
As a thank you, Mark Zuckerberg’s company has offered a reward of $ 15,000 under its Bug Bounty program launched in 2011. This program, reward those who report vulnerabilities to Facebook, has already updated 2400 faults. So far, Facebook has distributed $ 4.3 million (€ 3.8 million) to over 800 “white hat” around the world.