Facebook account security was recently found to be not so good by Indian security researcher Anand Prakash. FB users can normally try passwords ten to 12 times before the social networking site cuts them off. But Prakash noticed that on beta.facebook.com, these protections were missing.
Did Facebook overpay?
Every Facebook account is also available on beta.facebook.com (where developers often roll out new features that are not ready for Facebook.com), and because of this, the resulting bug allows him to flood a page with PIN guesses, thus enabling him to barge into any account he wants. This bug seems to be the result of a change rolled out to the beta page a few days previously.
Though no harm has been done, the bug is still a danger to security and is exactly the type of attack bug bounties are meant to work out. After discovering the bug, Prakash informed the social media giant via the report vulnerability page. The next day, the social networking site fixed the bug and awarded Prakash $15,000 in cash.
Many may argue that FB overpaid for a relatively simple bug, but like many tech companies, the social media giant’s bug bounties are priced based on the risk instead of how complex it is. Facebook’s White Hat page notes that the amount of money paid out is based on impact, risk and other factors. If the bug Prakash informed the company about had been deployed to Facebook.com, it could have sparked a widespread user attack.
Facebook’s bug bounty program
In a blog post titled “How I could have hacked all Facebook accounts,” Prakash detailed how he found a way to use FB’s “Forgot Password?” algorithm to get into anyone’s account. Prakash also uploaded a proof-of-concept video and a screenshot of his bug bounty payment.
In a statement, the social media firm said, “One of the most valuable benefits of bug bounty programs is the ability to find problems even before they reach production. We’re happy to recognize and reward Anand for his excellent report.”
Since the start of the bug bounty program in 2011, the social media giant has made more than $4.3 million in payouts to more than 800 researchers.