Anand Prakash works for Flipkart.
By Dileep Thekkethil
A Bengaluru-based hacker, Anand Prakash, who found a major bug in Facebook’s system has received a bounty of $15,000 from the social media giant for reporting a login problem.
If left unfixed, the bug could have allowed unethical hackers to steal personal information of users, like photos, messages and even their credit card and debit card numbers.
Prakash, who works in the security division of Flipkart, the popular online shopping website in India, found the bug and reported it to Facebook promptly.
According to Prakash, he sent a bug report to Facebook on February 22nd and on March 2nd, he received an acknowledgement mail from Facebook thanking Prakash for helping to resolve the issue. The letter also said that Facebook will reward Prakash with $15,000 (around Rs. 10 Lakh) under its bounty program.
Prakash wrote on his blog: “Whenever a user forgets his password on Facebook, he has an option to reset the password by entering his phone number/ email address onhttps://www.facebook.com/login/identify?ctx=recover&lwv=110, Facebook will then send a 6 digit code on his phone number/email address which user has to enter in order to set a new password.
I tried to brute the 6 digit code on www.facebook.com and was blocked after 10-12 invalid attempts. Then I looked out for the same issue on beta.facebook.com andmbasic.beta.facebook.com and interestingly (the) rate limiting was missing on forgot password endpoints. I tried to take over my account (as per Facebook’s policy you should not do any harm to any other users account) and was successful in setting a new password for my account. I could then use the same password to login in the account.”
All major tech giants, including Facebook and Google, have a bounty program for nonemployees who assist them in fixing the bug. They encourage ethical hackers to find loopholes in the system and report the vulnerability.
According to current estimates, Facebook alone has paid over $936,000 to 210 ethical hackers who found minor and major bugs in the system.
Interestingly, this is not the first time that Prakash is receiving a bounty. Reports say that he is a crorepati-hacker, who has received over Rs. 10 million just by finding bugs.
It seems like Prakash’s bug report have much more implications than what is originally believed. Many cite this as the reason why Facebook, which normally pays an average of $1,780 for identifying bugs, offered $15,000 to Prakash. Hackers from India, Egypt, and Trinidad & Tobago lead the bounty payout program.
Social Media Update
A very simple Facebook account takeover bug reward $15k reported by me https://t.co/2kj43eiNCf
— Anand Prakash (@sehacure) March 7, 2016
https://twitter.com/chrisrohlf/status/706904828388233217
2 Comments
please avoid fake likes n auto followers
in fb.
they are hacking fake comments and likes.
Woo.. Awesome info you have shared here.
Hope this post will inspire other to work extra and learn extra by doing extra work.
Salute to Facebook to inspiring….!!!!
Great & Appreciable Job by Anand Prakash…!!!!
Keep Going on Anand Prakash, still you are young and more to achieve….!!!!