Facebook Fixes Flaw That Could've Let Anyone Access Your Account

Advertisement
By Manish Singh | Updated: 17 March 2016 19:09 IST
Facebook Fixes Flaw That Could've Let Anyone Access Your Account

Facebook has awarded a sum of $15,000 (roughly Rs. 10 lakhs) to an India-born security researcher. Anand Prakash received the bug bounty from Facebook after disclosing a vulnerability in the social juggernaut's website that enabled an attacker to gain access to anyone's account.

Prakash discovered a vulnerability on Facebook website that allowed him to change the user account password for any account. He reported the vulnerability to Facebook last month and the company has since patched it. Prakash has now shed light on the vulnerability, and also demonstrated it in works on a video.

The security hole resided in company's developer portal, beta.facebook.com, which is designed for developers to perform tests before rollout to the general public. Facebook sends users a 6-digit code over email or text message upon password reset request. To prevent abuse or potential ill intents, Facebook allows only a certain number of attempts. Turns out, over at the beta website, a user could make any number of guesses.

In a blog post, Prakash wrote that he utilised Burp Suite, a popular testing tool. Prakash noted that because it's only a six-digit number, and brute forcing password is possible, it was not impossible to crack into someone's account, guessing the reset password.

Advertisement

"[...] I looked out for the same issue on beta.facebook.com and mbasic.beta.facebook.com and interestingly rate limiting was missing on forgot password endpoints," he wrote in a blog post. "I tried to takeover my account ( as per Facebook's policy you should not do any harm on any other users account) and was successful in setting new password for my account. I could then use the same password to login in the account."

 

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Advertisement

Related Stories

Popular Mobile Brands
  1. Samsung Galaxy M36 5G to Launch in India Soon; Design, Price Range Teased
  2. OnePlus Nord 5 and Nord CE 5 Colour Options, Key Features Leaked
  3. Nothing Phone 3 to Be Equipped With the Snapdragon 8s Gen 4 SoC
  4. Samsung Galaxy S25 Ultra Price in India Discounted for a Limited Time
  5. Poco F7 5G to Launch in India and Global Markets on This Date
  6. Trump Mobile T1 Phone With 5,000mAh Battery Announced; See Price, Features
  1. Nintendo Direct Livestream Featuring Donkey Kong Bananza Announced for June 18
  2. Amazfit Active 2 Square Debuts With 1.75-Inch AMOLED Display and Up to 10 Days Battery Life
  3. Samsung’s Exynos 2500 SoC Confirmed to Feature Satellite Connectivity Ahead of Galaxy Z Flip 7 Launch
  4. Nothing Phone 3 Confirmed to Come With Snapdragon 8s Gen 4 SoC Ahead of July 1 Launch
  5. Samsung Galaxy M36 5G India Launch Teased; Rear Design and Price Range Revealed
  6. Reddit Unveils Reddit Community Intelligence, Its Suite of AI-Powered Ad Tools for Enterprises
  7. Sony Bravia 8 II QD-OLED TV Series With Acoustic Surface+ Audio, Studio Calibrated Mode Launched in India
  8. Asus Unveils Refreshed Vivobook S16, S16 OLED Laptops in India Alongside Vivobook S14: Price, Features
  9. Apple Watch Ultra 3 Said to Launch This Year; Product Roadmap for Next Three Years Leaked
  10. Google Unveils India-Focused Safety Charter, Shares How It Is Using AI to Combat Online Frauds and Scams
Gadgets 360 is available in
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2025. All rights reserved.