There was worrying news for Facebook users this week when a hacker in India discovered a method for accessing any user profile on the social media site. Luckily enough for the owners of Facebook, not to mention people who have accounts on the website, the hacker in question was of the ‘white hat’ variety, and ultimately alerted the hierarchy of Facebook to this rather disastrous issue.
Indian hack embarrasses Zuckerberg
Facebook has indeed publicly acknowledged this information, perhaps engaging in something of a damage limitation exercise. The social media giant can consider itself extremely fortunate that it was not a ‘black hat’ hacker which acquired this information, as this scenario could have turned out to be nothing short of disastrous.
As it is, Facebook awarded the Indian hacker $15,000 as a reward, which many observers have opined is pretty small change compared to what it could have ultimately cost the social media site. And the issue has once more raised the specter of privacy on social media sites in general.
Anand Prakash, a security engineer located in the Asian subcontinent, originally posted the information related to Facebook in an online blog post. Prakash entitled the post “How I could have hacked all Facebook accounts,” in order to generate maximum attention. And it certainly worked!
Prakash took advantage of the forgotten password algorithm on Facebook in order to force his way into any account based on the social media site. The hacker also published a video which proved that this is possible, and eventually provided a screenshot showing the payments that Facebook had proffered.
This is not the first time that the Indian technician has effectively collaborated with Facebook. Prakash has previously been utilized by the social media site in order to locate blogs within the software of the website, and on this occasion took the decision of making a public statement on the matter. “One of the most valuable benefits of bug bounty programs is the ability to find problems even before they reach production. We’re happy to recognize and reward Anand for his excellent report,” Facebook told Gizmodo.
Facebook password exploit
The source of this exploit is particularly interesting, as it involves a section of Facebook that is extremely common on the Internet. Facebook will text or email a six-digit confirmation code in order to enable people that are experiencing password problems to gain access to the site and their profile once more.
In order to limit access to this particular feature, Facebook will allow people several attempts to enter the code correctly, before ultimately locking them out from the site completely. Something that virtually every Internet user will have encountered. This technique is frequently referred to as rate-limiting, and it essentially prevents identity thieves from attempting every conceivable code in order to crack the system.
One would think that overcoming this problem would be rather difficult, and reliant on some incredible computer trickery. As it turns out, it was pretty elementary for the Indian experts to breach Facebook’s security, owing to what would seem to be a rather basic oversight on the the behalf of the social media site.
Facebook’s beta sites (such as beta.facebook.com) didn’t have any form of rate-limiting in place, ensuring that Prakash was able to utilize what is referred to as brute-forcing to gain access to someone’s account. The beta version of Facebook effectively provided the Indian hacker with an infinite number of attempts to enter the six-digit confirmation code, something that the YouTube video which Prakash posted outlined.
Once Prakash had successfully accessed the account in question, the Indian engineer stated that it was possible for him to “view messages, his credit/debit cards stored under payment section, personal photos, etc.” Naturally, this is extremely sensitive data, and precisely the sort of information that users would wish to secure from hackers.
Damage limitation
Facebook has naturally moved to reassure users over this issue, as it has brought to light the sensitivity of data on the social media site. While there is parental guidance in place for people in using the website, it is nonetheless common for people to post and receive personal information through Facebook that is extremely sensitive.
So the social media giant has been keen to emphasize the fact that the bug has only been live for 72 hours, and that it has been eliminated rapidly. And Facebook representatives have also pointed out that the beta site is also protected by rate-limiting usually, and has simply been made vulnerable by a system change, leaving the site temporarily undefended.
Prakash states that the fault in question was discovered on February 22, with the social media site having awarded him $50,000 dollars by March 2. It is not unusual for Facebook to pay hackers a significant amount of money for discovering vulnerabilities, but this is possibly the most prominent example of it thus far.
German court case
This has been a difficult period for Facebook, as the social media site has also had to cope with the ruling of a court in Germany that the ‘Like’ button can be utilized in a way that is in violation of European privacy laws. Clearly there are question marks about the validity of Facebook’s operation at present, and Zuckerberg et al will have to engage in some pretty slick PR in the coming days, as well as addressing the ‘Like’ button issue.
