Anand Prakash, a hacker from Bengaluru has been awarded with prize money of approx. Rs. 10 Lakh ($15,000) after he found out a bug in the social networking website Facebook’s login system. If this bug had been cracked by other hackers, they might have used it for accessing not only the personal details of the users but also they might have accessed the debit/credit card details saved in the payments section.
Anand is also associated with the e-commerce giant Flipkart as a security analyst. He disclosed this information in a blog post, he told that he informed the security team of Facebook about the bug on February 22 and on March 2, he received the email about the award. He also told that Facebook has asserted the issue and they have sorted it out as well.
This is what he posted on the blog:
“Whenever a user forgets his password on Facebook, he has an option to reset the password by entering his phone number/ email address on https://www.facebook.com/login/identify?ctx=recover&lwv=110, Facebook will then send a 6 digit code on his phone number/email address which user has to enter in order to set a new password.
I tried to brute the 6 digit code on www.facebook.com and was blocked after 10-12 invalid attempts. Then I looked out for the same issue on beta.facebook.com and mbasic.beta.facebook.com and interestingly (the) rate limiting was missing on forgot password endpoints. I tried to take over my account (as per Facebook’s policy you should not do any harm on any other users account) and was successful in setting new password for my account. I could then use the same password to login in the account.”
Many multinationals like Facebook offer awards for ethical hackers (crackers) for finding out the deficiencies in their security system in order to resolve them. Facebook alone in 2015 awarded $936,000 to 210 researchers for helping them in finding bugs and as per a report, Anand has also earned more than Rs. 1 crore for finding out bugs.