A Facebook security flaw has been exposed that left millions of social media accounts vulnerable to brute force password hacking.
The security vulnerability was uncovered by India-based web application expert Anand Prakash, who found the company's beta websites didn't have adequate protection in place to limit the number of PINs that could be guessed when resetting passwords – leading to the discovery of a simple but powerful security flaw.
"[The vulnerability] gave me full access of another users account by setting a new password. I was able to view messages, his credit/debit cards stored under payment section, personal photos etc. Facebook acknowledged the issue promptly, fixed it and rewarded $15,000 USD considering the severity and impact of the vulnerability," Prakash wrote in a blog post.
Whenever a user on the social network forgets their password they have the option to reset it by entering a phone number or email address after which Facebook will send through a six-digit verification code.
"I tried to brute the six digit code on www.facebook.com and was blocked after 10-12 invalid attempts," the researcher explained. "Then I looked out for the same issue on beta.facebook.com and mbasic.beta.facebook.com and interestingly 'rate limiting' was missing on the 'forgot password' endpoints."
Because of this, the researcher noted, it was then straightforward to brute force attack the six-digit PIN. Prakash attempted the experiment on his own account and was successful in setting a new password and getting logged into the profile. "Brute forcing the "n" successfully allowed me to set new password for any Facebook user," he added.
Facebook's beta programme is used to get feedback from testers using a wide range of devices by relying on users to report bugs – as a result helping to improve overall performance alterations that the firm is unable to test on the main platform.
To demonstrate his findings, the researcher uploaded his findings to YouTube:
Prakash first reported the bug to Facebook on 22 February and it was patched 24 hours later. Then, by 2 March, the researcher was paid the bug bounty of $15,000 for his responsible disclosure.
The platform's bug bounty programme was launched in 2011. Only two years later, the firm had paid out over $1m in rewards to 330 security researchers across the globe, Facebook revealed. At the time, it said the average reward was $2,204 and that most bugs were uncovered in "non-core properties". In its biggest ever payout, the social network paid out over $30,000 to Brazilian researcher Reginaldo Silva who disclosed a 'remote code execution' security flaw in its severs.