An Indian security researcher based in Bengaluru has been awarded $15000 (about Rs 10 lakh) for reporting a high-risk bug to Facebook. The figure is on the higher side of the scale because of the massive risk the vulnerability could have posed to the site, potentially allowing hackers to log into anyone’s account.
Anand Prakash, a Security Engineer at Flipkart, first uncovered the flaw about a month ago. Facebook’s current login process allows users to get a 6-digit code sent to their mobile number or email ID in case they forget their password. Prakash noticed that while the main website cut him off after 10 or 12 wrong guesses for the PIN, the beta version did not have this limitation.
He thus proceeded to hack into his own account, in keeping with Facebook’s policies on ethical hacking, and was able to successfully guess the PIN. Although the problem had only affected the beta site, it was still a serious issue given that all Facebook accounts are present in the beta version as well. This means that wily attackers could have easily gotten away with hacking into them if it hadn’t been discovered in time.
As per Prakash’s blog post on the vulnerability, he was able to view all kinds of personal data, from debit and credit card details to messages. He first reported the issue to Facebook on February 22, after which the bug was fixed and he was awarded $15000. The social media giant has a special bug bounty program in place for such occurrences.
Also Read: Facebook shuts down Free Basics in India
Facebook has granted over $4.3 million to more than 800 security researches all over the world since the project was launched in 2011. Interestingly, the average payout last year was $1780 and India, Egypt, and Trinidad and Tobago had received the maximum amount of rewards.
