Indian 'Anand Prakash' Awarded 10 Lakh for finding bugs in facebook that could hack facebook accounts.
Indian "Anand Prakash" Awarded 10 Lakh for finding bugs in facebook that could hack facebook accounts.
A Bengaluru-based computer programmer, Anand Prakash has received $15,000 (approximately Rs 10 lakh) from social network Facebook as a reward, for reporting a bug through which he was able to hack into any Facebook account using relatively simple software.
This post is about a simple vulnerability of Facebook through which anyone can easily hack any fb account. This bug give the hacker full access of hacked account including changing of password.
When any user of facebook forgets his/her password and use recovery option for recover their password. Then facebook send 6 digit OTP to email or phone number.
At this time Anand Prakash try to brute(a combination key attack) the password 10 times, but he fells because facebook will blocked after 10-12 invalid attempts.
Then he tries to unblock through "beta.facebook.com", "beta.mbasic.facebook.com" and he found that there is rate limit missing i.e. facebook gives infinite invalid attempts. After this he get success in brute the 6 digit OTP code, and in setting of new password. He tries this attempt on his account because ( as per Facebook's policy you should not do any harm on any other users account). After this he send this bug to facebook and get $15000 for reporting this bug.
Vulnerable request:
POST /recover/as/code/ HTTP/1.1
Host: beta.facebook.com
lsd=AVoywo13&n=XXXXX
Brute forcing the "n" successfully allowed me to set new password for any Facebook user.
A Bengaluru-based computer programmer, Anand Prakash has received $15,000 (approximately Rs 10 lakh) from social network Facebook as a reward, for reporting a bug through which he was able to hack into any Facebook account using relatively simple software.
This post is about a simple vulnerability of Facebook through which anyone can easily hack any fb account. This bug give the hacker full access of hacked account including changing of password.
When any user of facebook forgets his/her password and use recovery option for recover their password. Then facebook send 6 digit OTP to email or phone number.
At this time Anand Prakash try to brute(a combination key attack) the password 10 times, but he fells because facebook will blocked after 10-12 invalid attempts.
Then he tries to unblock through "beta.facebook.com", "beta.mbasic.facebook.com" and he found that there is rate limit missing i.e. facebook gives infinite invalid attempts. After this he get success in brute the 6 digit OTP code, and in setting of new password. He tries this attempt on his account because ( as per Facebook's policy you should not do any harm on any other users account). After this he send this bug to facebook and get $15000 for reporting this bug.
Vulnerable request:
POST /recover/as/code/ HTTP/1.1
Host: beta.facebook.com
lsd=AVoywo13&n=XXXXX
Brute forcing the "n" successfully allowed me to set new password for any Facebook user.
No comments: