Facebook Password Reset Bug Gave Hackers Access To Any Account

Facebook Transparency Report

Researcher earns $15,000 bounty from Facebook for discovering massive password security hole exposing 1.1 billion accounts to a possible account takeover.

Anand Prakash could have hacked your Facebook account or anyone else’s.

The India-based security researcher found a glaring password-reset vulnerability last month that has since been patched. The bug allowed him to crack open any of Facebook’s 1.1 billion accounts using a rudimentary brute force password attack.

But instead of pillaging accounts for financial data, Prakash reported his findings to Facebook which earned him a $15,000 bug bounty on March 2. The dollar value of his discovery, Facebook told Threatpost, is huge by Facebook standards. According to Facebook, only a rare few have earned more as part of its Bug Bounty Program.

Why was Facebook’s payout so much? It’s tied to the seriousness of the potential threat; what Prakash found is unnerving for anyone who values the privacy and security of their Facebook account. Prakash’s discovery was a mix of finding low-hanging fruit, being in the right place at the right time and being a prolific bug hunter, said a Facebook spokesperson.

The vulnerability exploited a hole in the way Facebook handles self-service password resets. “All you needed for this exploit was a Facebook username,” Prakash told Threatpost in an email exchange.

Last month, Prakash said, when he was probing for flaws in Facebook’s security, he noticed Facebook’s developer site (beta.facebook.com) and the company’s stripped-down basic version of its site (mbasic.beta.facebook.com) implemented different security settings when it came to password resets.

Prakash explains, whenever a user forgets their password they have the option to reset the password by entering any phone number or any email address via Facebook’s dedicated password-reset page. Facebook will then send a six digit code to the phone number or the email address you just entered in order to initiate the password reset. “I tried to brute the 6 digit code on www.facebook.com and was blocked after 10-12 invalid attempts,” wrote Prakash in his research notes posted to his personal website.

But Prakash’s brute force password attack wasn’t blocked on beta.facebook.com and mbasic.beta.facebook.com. “Rate limiting was missing on forgotten password endpoints,” he said. That allowed Prakash to easily crack the six digit code using Burp Suite, security testing software.

“It was a very simple exploit. This hack was available to anyone,” Prakash told Threatpost. “All an attacker needed was a username and initiate a forgotten password request.”

For Facebook’s part, it told Threatpost that Prakash had stumbled on a temporary bug that was only a vulnerability for a very short period of time.

Prakash said that only account he hacked open was his own. He said he discovered the bug and reported it the same day. Facebook said it plugged the security hole within hours of learning about it.

“One of the most valuable benefits of bug bounty programs is the ability to find problems even before they reach production. We’re happy to recognize and reward Anand for his excellent report,” a Facebook spokesperson said.

The find also earned Prakash a Twitter shout-out from Alex Stamos, Facebook’s chief security officer. He tweeted “Great bug, Anand. Enjoy the $15K.”

This is Prakash’s 90th bug found on Facebook. The security researcher, who has a full time job as a product security engineer at Flipkart, India’s version of the ecommerce site Amazon.com, is based in Karnataka, Bangalore in India.

Suggested articles


  • احمد الشريف on

    I've been hacked my account I hope retrieved
  • Me on

    Bug still there...ive had to begin new accounts 5 times in tge last 7 days..awoke this morning and guess what? Password changed again...reset done through SMS Messenger and tgats all the hackers needed to get my email so resetting on email no longer works either..my friends wont even accept requests anymore due to the crude posting by the hacjerz2 on previous accessed sites and my stress is niw so high I vomit consistently every single due...its time for Facebook to figure this out ir shut down entirely.
  • Dallas on

    Not fixed... 5th account set up in laat 7 days. Lost friends due to crude hacker's postings. Puking everyday over stress. Concuurently emails hacked once thevy got into your Facebook. Then retrieve online banking info..My son's money gone too. Facebook needs to fix immediately or shut down entirely before millions more people also consistently lose even more money than I.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.