Bengaluru-based Anand Prakash found a vulnerability on Facebook which could have been used to hack into any user account easily without any user interaction. This could give full access to view messages, credit/debit cards stored under payment section, personal photos and much more.
According to a post on Prakash’s blog, he stated that, “Whenever a user forgets his password on Facebook, he has an option to reset the password by entering his phone number/email address and Facebook will then send a 6 digit code on his phone number/email address, which can be used in order to set a new password.” He added that he tried to brute the 6 digit code on Facebook and was blocked after 10-12 invalid attempts.
Prakash looked out for the same issue on beta.facebook.com and mbasic.beta.facebook.com and found that rate limiting was missing on ‘forgot password’ endpoints. He tried to takeover his own account and was successful in setting new password for it as well. With this method, he could then use the same password to login in the account.
Facebook, on its part, acknowledged the issue promptly and fixed it. The hacker was rewarded $15,000 (approximately Rs 10 lakh) considering the severity and impact of the vulnerability.