Thanks to the vulnerability, a malicious hacker could potentially reset a user’s password and then access all parts of their account on the social messaging platform, including messages, photos, and credit and debt card information under the payments section.
Instead, the flaw was discovered first by Bangalore-based security researcher Anand Prakash, who promptly notified Facebook in February, saving the company face.
> See also: Creepy ‘hidden’ Facebook API allows you to monitor when your friends are asleep
If a user forgets their password, Facebook sends out a six digit code to a user’s email address or phone number when they request a new one, something which could potentially be hacked by brute force if given unlimited attempts. While Facebook’s main site has a limit of 10-12 attempts at typing in the correct code, Prakash noticed that its beta sites did not, and was the able to break into his own account, set a new password for the account ‘brute forcing’ the code through these sites.
He showed his proof of concept on a video on his blog, before Facebook verified the issue and rewarded him.
$15,000 seems like a measley bounty considering the massive publicity disaster that the company avoided. Facebook issues bug bounties based on the damage they could do, and a bug like the one discovered by Prakash, while relatively simple, could potentially allow attackers full access to any account.
‘Ultimately we pay these bounties to protect Facebook users, so the more users it could affect and the more damage it could do, the higher the impact,’ Facebook says on its site. ‘Would this bug allow someone to access private Facebook data? Delete Facebook data? Modify an account? Can you run JavaScript under facebook.com? These are high-impact vulnerabilities, and this is the most important attribute we consider.’
> See also: Facebook denies fresh allegations that it DOES collect the text you decided against posting
329 people have received a bounty so far, including professional researchers, students and amateurs. The youngest receipient was 13 years old, and the largest bounty to date was $33,500, paid out to a Brazillian security researcher in 2014. Because it was a ‘remote code execution vulnerability’ that allows attacks to throw malware at surfers visiting a vulnerable website, it was categorised by Facebook as the most serious category of risk.
The next biggest was $20,000 paid out to a British researcher back in 2013, who discovered it was possible to trick Facebook’s text verification system into sending a password reset code for another person’s account.