Facebook Inc (FB) Flaw Found, Hacker Rewarded for Reporting it

Facebook headquarters hq

A computer programmer “hacker”, revealed his simple software which allowed him to log into any Facebook Inc (NASDAQ:FB) account and act as the user.

The product security engineer at Indian e-commerce company Flipkart used a common method used by hackers called “brute force” cyber-attack on the popular social media network Facebook. The 1.6 billion users of Facebook were vulnerable for 2 days when the software was at large before the technological company got on top of the situation and rectified the problem.

The whole idea was that as a user loses his password they can then retrieve them by entering either their email address, username or phone number. This allowed them to get access to a six digit code which would be sent to one of the platforms they registered with, of which they can use this number to log in as the password. Facebook tries to stop guessing of the code by hackers or “computer programmers” by repeatedly giving back different combinations of the six digit code and eventually locking the account after number of processes.

The programmer, Mr Anand Prakash, however found a flaw in the Facebook beta website, used by software developers and lets anyone log in, was not as strict as the main website. Using Burp Suite, a program that allowed him to correctly guess all possible combinations of the six-digit code, which in turn allowed him to access to a user’s account he could therefore make changes that could keep the original user out of their accounts.

He could also log out other devices using that account so in essence he had full access to everything. Mr Prakash didn’t however hack into anyone’s account but his own. He demonstrated the flaw and showed the process as he brute forced his way into his own account showing us how he had access to private messages and credit card numbers.

Mr Prakash said the hack was available to everyone and it was very easy to exploit. The only requirement was that a hacker would need a user’s username which was easily identifiable. An example of a username would be that of the Facebook founder Zuckerberg which is “zuck”. Prakash however did the good thing and alerted Facebook who then gave him his bounty reward of $15,000 and were quick enough to fix the problem in February.

According to analysts the simplicity of the hack worried them. Professor Alan Woodward cybersecurity expert at University of Surrey said, “It was surprisingly simple, you’d have thought someone would have picked upon it by now, you would think sites would allow you to have five attempts and then lock you out, it’s pretty standard practice. Facebook however praised their bug bounty program and said they were happy to recognize and reward Anand for his report.