Ethical hacker Ananda Prakash has received a well-earned $15,000 from Facebook for exposing a dangerous password reset error. The simple vulnerability he discovered could have been used to hack into any user’s Facebook account. All you would need to know is the user’s email address or phone number. As Facebook is allowing more of its users to store credit and debit card information as part of their account, the repercussions of such a vulnerability could have been severe.

Prakash was researching the password reset feature on Facebook which allows users to reset their password by entering their email or phone number to receive a six digit code. They could then enter this 6 digit code on Facebook as a way of verifying their identity, allowing them to set a new password. First, Prakash tried using a brute force attack to hack this six digit code. 

A brute force attack is a method of hacking a password to infiltrate an account. In a brute force attack, a computer program is used to enter and re-enter various combinations of passwords. Essentially, the method is one of automated trial and error until the right password is discovered and the account is infiltrated. Most of your accounts won’t let you make more than ten unsuccessful login attempts in order to block such methods. 

Prakash found that Facebook countered such brute force attacks by blocking account access after about a dozen unsuccessful attempts at guessing the password. Then he went over to the beta version of Facebook – accessible at beta.facebook.com, it allows users to access the newest Facebook features under development before they’re released to the general public. On this version of the Facebook site, there was no limit on how many attempts a user could make to guess the six digit number enabling them to reset their password. 

Subsequently, Prakash attempted to perform a brute force attack on his own account through this version of the Facebook site and successfully generated the six digit code. This facilitated a password reset, giving him access to the account with a brand new password of his choosing. As mentioned earlier, Facebook acknowledged the severity of the bug and awarded Prakash a cool 15 grand. His contribution to the social media site’s security was acknowledged and users were kept safe from a potentially dangerous bug.