Indian techie finds bug that let him hack anyone's Facebook account, gets $15,000 award.
1. Anand Prakash finds bug in Facebook login system; rewarded $15000.
2. Bengaluru hacker gets $15,000 reward for reporting bug to Facebook.
3. Bengaluru boy finds Facebook bug, gets $15,000 for it.
4. Facebook paid $15,000 to close a bug that could unlock any user's account.
Hoax or Fact:
Various stories spreading wide over internet say that an Indian Techie from Bangalore, Anand Prakash has found a security Bug in Facebook's login system and that he was awarded $15,000 by Facebook. Yes, the claims are facts.
In February 2016, Anand Prakash, a security engineer with Indian e-commerce website Flipkart, discovered a simple, but major flaw (bug) in Facebook's account security. He found that one could reset any Facebook account's password on beta.facebook.com and mbasic.beta.facebook.com, where developers often deploy new features that are not ready for facebook.com. When an account is reset by using 'Forgot Password' feature, Facebook sends a 6-digit PIN to the user's phone, which acts as a temporary password while the account is reset. When someone tries to exploit this feature to login by guessing the PIN, Facebook normally cuts them off after 10-12 invalid attempts. Anand Prakash noticed that these security protections were missing on beta.facebook.com and mbasic.beta.facebook.com versions of Facebook, where every Facebook account is available. This bug allows him to keep guessing the PIN until he gets it right and login into any Facebook account. Anand wrote about this bug in his blog on web application security anandpraka.sh, where he also demonstrated the flaw in a video that is shown in this article.
Anand Prakash reported the issue to Facebook on 22 Feb. 2016, and the next day, the company confirmed that the bug had been fixed. For reporting the issue, Anand Prakash was awarded $15,000 on 2nd March, as a part of Facebook's Security's Bug Bounty program. Bug bounty programmes are run by technology giants like Facebook and Google, which encourage ethical hackers to identify vulnerabilities in their security. It's worth noting that the Indian techie Anand Prakash is a veteran participant in such bug bounty programs, who has reported bugs to Twitter, Google, Blackberry, Adobe, Nokia, SoundCloud and PayPal.