Prakash, a 22-year-old who works in the security division of Flipkart, found the major bug and reported it to Facebook promptly. If left unfixed, the bug could have allowed unethical hackers to steal personal information of users, like photos, messages and even their credit card and debit card numbers. 

His blog post title on this responsible disclosure reads as ‘How I could have hacked all Facebook accounts’.

Whenever a user Forgets his password on Facebook, he has an option to reset the password by entering his phone number/ email address on https://www.facebook.com/login/identify?ctx=recover&lwv=110, Facebook will then send a 6 digit code on his phone number/email address which user has to enter in order to set a new password. I tried to brute the 6 digit code on www.facebook.com and was blocked after 10-12 invalid attempts.

Watch the video he uploaded on his YouTube channel to explain how he managed to discover the bug:

Good for us that Prakash is what is called a ‘white hat hacker’, who unlike ‘black hat hackers’, do not use the vulnerabilities they find for personal gain and disclose the matter to the public only after receiving permission from the company concerned. 

Twitterati congratulated the techie:

Interestingly, this is not the first time that Prakash is receiving a bounty. Reports say that he is a crorepati-hacker, who has received over Rs. 10 million just by finding bugs. His LinkedIn profile mentions Google, RedHat, Dropbox, Adobe, eBay and PayPal as others who have rewarded him for reporting security vulnerabilities. He’s one smart kid!

Prakash spoke to the Free Press Journal on receiving the bounty:

I started doing this after completing my graduation in BTech. I have so far reported 90 bugs for Facebook and around 30 for Twitter.

Here’s hoping Prakash makes it to the Facebook Hall Of Fame which recognises the contributions of the researchers who help in making the site more secure.