AH 2015 Facebook LOGO-66

Crippling Facebook Security Bug Patched With $15,000 Reward

March 8, 2016 - Written By Daniel Fuller

Security researchers, both employed and independent, stumble across bugs in daily usage of products or while just tinkering around almost as often as they find them on assignment or at conventions. For example, there was a former Google employee who paid $12 and owned the site for about one minute last year. Normally, these researchers are rewarded fairly handsomely for their efforts. One such researcher, Anand Prakash, noticed a fairly glaring security bug in Facebook that could have let him into any Facebook account, given enough time. After submitting the report of the bug to Facebook, he ended up with a cool $15,000 to show for his troubles.

To be specific, the bug was related to account recovery. When an account password is lost, a recovery PIN can be sent to a mobile number. This six digit PIN has to be entered in order to gain access to the account again and set a new password. Normally, after a few tries, the system will kick you out and block you from continuing to attempt entering the PIN. On Facebook’s beta website, a test bed for new features that are often laden with bugs, this kick-out feature somehow broke. Prakash found that he could have his system send a literally infinite number of PIN attempts until the right one was hit, a method called brute-forcing. If the account owner didn’t notice something was up in the time it would take to get the correct PIN via brute-forcing, their account could be compromised.

Prakash submitted the bug to Facebook’s security team via their in-site bug report form. In eight days’ time, Facebook gave him the princely sum of $15,000 as thanks for finding that bug so they could squash it. He sent in the report on February 22nd, it was fixed by the 23rd and he received a message about payment from Facebook on March 2nd. After the dust settled and Prakash verified the fix was in place and could not be replicated, he reported his findings on his blog yesterday, on March 7. Although this was a fairly uncomplex bug to deal with, it came with a pretty high risk due to the nature of security for people’s personal accounts, which warranted to hefty payout.