Anand Prakash could have hacked your Facebook account or anyone else’s.
The India-based security researcher found a glaring password-reset vulnerability last month that has since been patched. The bug allowed him to crack open any of Facebook’s 1.1 billion accounts using a rudimentary brute force password attack.
But instead of pillaging accounts for financial data, Prakash reported his findings to Facebook which earned him a $15,000 bug bounty on March 2. The dollar value of his discovery, Facebook told Threatpost, is huge by Facebook standards. According to Facebook, only a rare few have earned more as part of its Bug Bounty Program.
Why was Facebook’s payout so much? It’s tied to the seriousness of the potential threat; what Prakash found is unnerving for anyone who values the privacy and security of their Facebook account. Prakash’s discovery was a mix of finding low-hanging fruit, being in the right place at the right time and being a prolific bug hunter, said a Facebook spokesperson.
The vulnerability exploited a hole in the way Facebook handles self-service password resets. “All you needed for this exploit was a Facebook username,” Prakash told Threatpost in an email exchange.
Last month, Prakash said, when he was probing for flaws in Facebook’s security, he noticed Facebook’s developer site (beta.facebook.com) and the company’s stripped-down basic version of its site (mbasic.beta.facebook.com) implemented different security settings when it came to password resets.
Prakash explains, whenever a user forgets their password they have the option to reset the password by entering any phone number or any email address via Facebook’s dedicated password-reset page. Facebook will then send a six digit code to the phone number or the email address you just entered in order to initiate the password reset. “I tried to brute the 6 digit code on www.facebook.com and was blocked after 10-12 invalid attempts,” wrote Prakash in his research notes posted to his personal website.
But Prakash’s brute force password attack wasn’t blocked on beta.facebook.com and mbasic.beta.facebook.com. “Rate limiting was missing on forgotten password endpoints,” he said. That allowed Prakash to easily crack the six digit code using Burp Suite, security testing software.
“It was a very simple exploit. This hack was available to anyone,” Prakash told Threatpost. “All an attacker needed was a username and initiate a forgotten password request.”
For Facebook’s part, it told Threatpost that Prakash had stumbled on a temporary bug that was only a vulnerability for a very short period of time.
Prakash said that only account he hacked open was his own. He said he discovered the bug and reported it the same day. Facebook said it plugged the security hole within hours of learning about it.
“One of the most valuable benefits of bug bounty programs is the ability to find problems even before they reach production. We’re happy to recognize and reward Anand for his excellent report,” a Facebook spokesperson said.
The find also earned Prakash a Twitter shout-out from Alex Stamos, Facebook’s chief security officer. He tweeted “Great bug, Anand. Enjoy the $15K.”
Great bug, Anand. Enjoy the $15K. 🙂 https://t.co/Xr38D8j3Jl
— Alex Stamos (@alexstamos) March 7, 2016
This is Prakash’s 90th bug found on Facebook. The security researcher, who has a full time job as a product security engineer at Flipkart, India’s version of the ecommerce site Amazon.com, is based in Karnataka, Bangalore in India.