Researcher receives $15000 through Facebook’s bug bounty program

Researcher Anand Prakash has been awarded $15,000 (50,550,000 UGX) through Facebook‘s bug bounty program after disclosing a password flaw which allowed attackers to access accounts with little effort.

The flaw, since fixed by Facebook, was a simple vulnerability that gave the researcher access to Facebook accounts without any user interaction. “This gave me full access of another users account by setting a new password. I was able to view messages, his credit/debit cards stored under payment section, personal photos etc.” Prakash said in a blog post.

Prakash explained in his post that missing security protocols in some versions of Facebook made it possible for hackers to reset account passwords without the legitimate owner’s knowledge.

Facebook’s bug bounty program begun in 2011, rewarding researchers, hackers and others, for reporting security flaws to the company. Other Tech Giants like; Google Inc. and Microsoft Corp. also offer similar bug bounty programs, which have sprung up over the last several years as cyber-crime has become ever more frequent and damaging.

According to CNET, Facebook’s main website prevents hackers from requesting a reset for a given account and then simply running a program to guess the code without actually having to receive it from the social network. The site blocks the account after 10 to 12 failed log-in attempts. But on the beta pages beta.facebook.com and mbasic.beta.facebook.com the scenario played out differently for Prakash.

The security researcher said “rate limiting,” or the anti-brute-force measure on the main website, was missing from the other domains. CNET adds.

Prakash notified Facebook last month, on Feb 22nd, because the flaw was serious and easily within the skill range of many cyber-attackers. After acknowledging the flaw, the social media giants, gave Prakash his bounty as a reward for responsible disclosure.