More than a billion people currently use Facebook worldwide, which is why the company is constantly doing its best to make sure that the information of this vast number of users is kept confidential and secure.
However, a security researcher named Anand Prakash recently discovered a major security flaw that could put any Facebook account at risk of hacking.
— Bangalore Mirror (@Bangaloremirror) March 9, 2016
In order to protect its users’ accounts, Facebook sends out a 6-digit PIN to the user’s phone when he or she requests to reset their account. This PIN would then be used as a temporary password while the account undergoes the reset process.
Facebook would then only allow up to 12 bad guesses in the temporary password. However, Prakash discovered that such a security feature is not available on beta.facebook.com.
The beta website of Facebook is the page where developers often bring in new updates and features, which are not yet applicable or supported on the actual Facebook website.
— Gizmodo (@Gizmodo) March 8, 2016
But because all Facebook accounts can be accessed as well on beta.facebook.com, they are put at risk. That’s because when these accounts are opened through the beta version, anyone can guess a user’s password countless times without being banned by the site.
In the report, the bug resulted from a recent update that was implemented on Facebook beta, and the security researcher was the first to notice it.
He said he used a program called Burp Suite, which was capable of rapidly trying all possible password combinations. Once he found the correct code, it allowed him to log in, view personal and credit card information, and even log out of all the devices the account had been logged into.
The researcher said that a hacker only needs to type a user’s username, which can easily be spotted by searching publicly for the user’s profile.
When Prakash discovered the bug, he immediately sent a detailed report to Facebook’s report vulnerability page. He hacked his own account and set up a new password to show the extent of the risk.
The next day, the social media giant confirmed the bug and told him that it had already been fixed.
More than a week later, Prakash received $18,000 from Facebook under the bug bounty program. Anand is a product security engineer for Flipkart, which is an India-based ecommerce company.
— The Verge (@verge) March 8, 2016
While some tech experts may consider the bug as “simple” and “minor,” Facebook’s White Hat page begs to disagree. The page states that the payouts for the bug bounty program are based on the issue’s “risk, impact, and other factors.”
Taking the particular security bug into consideration, it may have triggered hacking of various user accounts across the world because identity thieves would be able to guess passwords without getting banned.
Facebook has also released a statement about Prakash’s discovery, and said that “One of the most valuable benefits of bug bounty programs is the ability to find problems even before they reach production.”
The statement said that the company is very happy to recognize and reward the researcher for his “excellent report.”
Since Facebook launched its bug bounty campaign in 2011, the company has already paid out more than $4.3 million to more than 800 researchers.
Facebook has paid out $4.3m for more than 2,400 vulnerability reports submitted since its bug bounty began in 2011. https://t.co/ShjZjdWFrI
— Spreer-Raschke (@SpreerRaschke) February 15, 2016
Meanwhile, cybersecurity expert Alan Woodward, who is a professor at the University of Surrey, stated that the simplicity of the hack is alarming.
“It was surprisingly simple, you’d have thought someone would have picked up on it now,” Woodward said. “You would think sites would allow you to have five attempts and then lock you out, it’s pretty standard practice.”
[Image via Flickr]