Facebook takes its bugs seriously. So much so that it awards people who find rogue problems plaguing its systems. Bengaluru-based hacker, Anand Prakash, received a bounty of $15,000 (around Rs 10 lakh) from the social media giant for reporting a login problem.
Prakash, a 22-year-old who works in the security division of Flipkart, found the major bug and reported it to Facebook promptly. If left unfixed, the bug could have allowed unethical hackers to steal personal information of users, like photos, messages and even their credit card and debit card numbers.
A very simple Facebook account takeover bug reward $15k reported by me https://t.co/2kj43eiNCf— Anand Prakash (@sehacure) March 7, 2016
His blog post title on this responsible disclosure reads as 'How I could have hacked all Facebook accounts'.
Whenever a user Forgets his password on Facebook, he has an option to reset the password by entering his phone number/ email address on https://www.facebook.com/login/identify?ctx=recover&lwv=110, Facebook will then send a 6 digit code on his phone number/email address which user has to enter in order to set a new password. I tried to brute the 6 digit code on www.facebook.com and was blocked after 10-12 invalid attempts.
Watch the video he uploaded on his YouTube channel to explain how he managed to discover the bug:
Good for us that Prakash is what is called a 'white hat hacker', who unlike 'black hat hackers', do not use the vulnerabilities they find for personal gain and disclose the matter to the public only after receiving permission from the company concerned.
Twitterati congratulated the techie:
Bounties dont reward you for being clever. They award you for reducing risk to the business and that is judged by bug impact, not complexity— Chris Rohlf (@chrisrohlf) March 7, 2016
@sehacure Every bug hunter should have an eagle eye while hunting bugs..Here is an example.. ! Congrats— Arul Kumar (@arulvaiyapuri) March 7, 2016
@sehacure cool thinking on diverting the same attack to another subdomain. thanks for sharing!— yappare (@yappare) March 8, 2016
@sehacure nice work but you should report it after 4 days because i needed to hack someone— muzammil junaid (@gamemaster88) March 8, 2016
@sehacure congrats genius.. facebook should've rewarded u more.. if it was found by wrong people then facebook would've been in real trouble— SRK_Fan (@commonman_10) March 8, 2016
Interestingly, this is not the first time that Prakash is receiving a bounty. Reports say that he is a crorepati-hacker, who has received over Rs. 10 million just by finding bugs. His LinkedIn profile mentions Google, RedHat, Dropbox, Adobe, eBay and PayPal as others who have rewarded him for reporting security vulnerabilities. He's one smart kid!
Prakash spoke to the Free Press Journal on receiving the bounty:
I started doing this after completing my graduation in BTech. I have so far reported 90 bugs for Facebook and around 30 for Twitter.
Here's hoping Prakash makes it to the Facebook Hall Of Fame which recognises the contributions of the researchers who help in making the site more secure.