We know that no website is totally secured from security flaws, but when it comes to one of the most popular social media website then our view changes and make us wonder why not our engineers can make website that is totally protected from hackers.
India-based web application expert Anand Prakash has found a security flaw in Facebook that has left million of users prone to brute force password hacking.
According to the expert company's one can guess infinite number of PINs on beta websites while resetting passwords that lead to the discovery of a simple but powerful security flaw.
"[The vulnerability] gave me full access of another users account by setting a new password. I was able to view messages, his credit/debit cards stored under payment section, personal photos etc. Facebook acknowledged the issue promptly, fixed it and rewarded $15,000 USD considering the severity and impact of the vulnerability," Prakash wrote in a blog post.
Whenever a user forgets their password and click on the forgot password they have two option to reset it by entering a phone number or email address after which Facebook will send through a six-digit verification code.
"I tried to brute the six digit code on www.facebook.com and was blocked after 10-12 invalid attempts," the researcher explained. "Then I looked out for the same issue on beta.facebook.com and mbasic.beta.facebook.com and interestingly 'rate limiting' was missing on the 'forgot password' endpoints."
The researcher attempted to reset password on his own account and was able to successful in setting a new password and getting logged into the profile. "Brute forcing the "n" successfully allowed me to set new password for any Facebook user," he added.
On 22 February, Prakash reported the bug to Facebook and was patched within 24 hours. On 2 March, Facebook paid the bug bounty of $15,000 to the researcher for identifying the flaw.
India-based web application expert Anand Prakash has found a security flaw in Facebook that has left million of users prone to brute force password hacking.
According to the expert company's one can guess infinite number of PINs on beta websites while resetting passwords that lead to the discovery of a simple but powerful security flaw.
"[The vulnerability] gave me full access of another users account by setting a new password. I was able to view messages, his credit/debit cards stored under payment section, personal photos etc. Facebook acknowledged the issue promptly, fixed it and rewarded $15,000 USD considering the severity and impact of the vulnerability," Prakash wrote in a blog post.
Whenever a user forgets their password and click on the forgot password they have two option to reset it by entering a phone number or email address after which Facebook will send through a six-digit verification code.
"I tried to brute the six digit code on www.facebook.com and was blocked after 10-12 invalid attempts," the researcher explained. "Then I looked out for the same issue on beta.facebook.com and mbasic.beta.facebook.com and interestingly 'rate limiting' was missing on the 'forgot password' endpoints."
The researcher attempted to reset password on his own account and was able to successful in setting a new password and getting logged into the profile. "Brute forcing the "n" successfully allowed me to set new password for any Facebook user," he added.
On 22 February, Prakash reported the bug to Facebook and was patched within 24 hours. On 2 March, Facebook paid the bug bounty of $15,000 to the researcher for identifying the flaw.