Indian Techie Anand Prakash Rewarded $15000 By Facebook For Pointing Out a Gaping Hole

Remember how Eduardo breached into Harvard's Network by breaking few equations on his dorm room window which was pointed out later by Mark Zuckerberg during his interrogation with the board?

Well, something of that sort happened except this time it wasn't a movie and was done for a good cause.

Anand Prakash of Bengaluru found a simple vulnerability on Facebook that could have resulted in giving access to thousands of Facebook accounts. He wrote in his blog:

"Whenever a user Forgets his password on Facebook, he has an option to reset the password by entering his phone number/ email address, Facebook will then send a 6 digit code on his phone number/email address which user has to enter in order to set a new password. I tried to brute the 6 digit code on www.facebook.com and was blocked after 10-12 invalid attempts.

He continues, "Then I looked out for the same issue on beta.facebook.com and mbasic.beta.facebook.com and interestingly rate limiting was missing on forgot password endpoints. I tried to take over my account (as per Facebook's policy you should not do any harm on any other users account) and was successful in setting a new password for my account. I could then use the same password to login in the account."

He promptly reported the issue to Facebook on 22nd February which was immediately recognized and fixed by the next day. Taking into account the gravity of the situation Facebook rewarded Anand Prakash a bounty of $15000 on 2nd March 2016.