He was able to successfully set a new password for his account and then used the same password to login to the account.
Advertisement
A six-digit code is then sent by the social network to verify the owner, and this code must be entered to create a new password. A security flaw in the website could let anyone access accounts through tweaking the reset password code.
Whenever a user forgets their Facebook password, they have to fill in a form with their email address or phone number, associated with their Facebook account.
Melanie Ensign who is a Security Communication representative from Facebook said both Beta and main Facebook sites are protected from Brute-Force attacks but this bug appeared unknowingly when Facebook was performing a system update from the back end.
However, Prakash was able to get around this on Facebook’s beta website. “This was a bug which could be exploited by anyone”, Prakash added. Facebook, who has also worked with Prakash before, said on a statement for Gizmodo that, “One of the most valuable benefits of bug bounty programs is the ability to find problems even before they reach production”.
On Facebook’s main website, attempts to brute-force the code are blocked after 10 to 12 attempts. However, Facebook does indeed have serious vulnerabilities and pays hackers a bounty for discovering them.
Prakash looked out for the same issue on beta.facebook.com and mbasic.beta.facebook.com and found that rate limiting was missing on “forgot password” endpoints.
Prakash says he discovered the vulnerability and reported it to Facebook on February 22.
As you probably know, if you’ve forgotten your password, Facebook will text or emailed a six-digit confirmation code to plug into the site so that you can reset the password and access your profile. Only two years later, the firm had paid out over $1m in rewards to 330 security researchers across the globe, Facebook revealed.
Advertisement
The resulting award and Facebook’s rapid response in stamping out the bug hints at the major risk involved.
