A Bengaluru-based hacker got a reward of $15,000 (approximately Rs 10 lakh) for reporting a bug in Facebook's login system.
The bug, if not detected could let hackers access a user's messages, photos and other personal details stored in the account.
Hacker Anand Prakash who reported the critical flaw to the social networking site works as a security analyst at Flipkart. Facebook also promptly fixed the issue after it was reported.
According to Prakash, he sent the bug report to the Facebook security team on February 22 and received a mail about the reward on March 2.
“Whenever a user forgets his password on Facebook, he has an option to reset the password by entering his phone number/email address and Facebook will then send a 6 digit code on his phone number/email address, which can be used in order to set a new password,” Prakash wrote in his blog on Monday.
The bug he found had to with how beta encryption works on the social networking site. Prakash found that Facebook's beta sites did not have a limit for entering PINs used for password resets.
Usually, what happens is Facebook account reset tool blocks the attackerafter 10-12 invalid attempts, but Prakash was able to manipulate the scripts on beta.facebook.com and mbasics.beta.facebook.com and lift the limit on PINs used for multiple password resets.
That way he was also able to get admin access to the hacked account and was then able to reset password, read messages, view photos/videos and also other debit/credit card related information.
“Brute forcing the ‘n’ successfully allowed me to set new password for any Facebook user,” Prakash wrote. He demonstrated the hack on his own account instead of others, which also qualified him for Facebook's bug bounty programme reward.
Facebook beta programme is used by testers on a wide range of devices to find any bugs, which could help the world's largest social networking platform to improve the site's performance and security without affecting the main platform.
Prakash sent the detected bug report to Facebook's security team on February 22. Thesocial networking site started the bug bounty programme in 2011 and has paid out over $1 million in rewards to 330 security researchers around the world.