The Facebook paid $ 15.000 to an independent security researcher who discovered a simple way to reset passwords on other people's accounts by setting a new password that only he knew. This way he could lock any account he wanted.
The person who discovered the security gap and helped Facebook fix it before being abused is Anand Prakash, a security researcher from India.
As he describes in his blog, the issue is actually an insignificant brute-force attack on the password recovery form, and not on Facebook's central website, which is protected by this type of automated attacks.
The password recovery form can be used whenever a user forgets their Facebook password. He will have to fill out a form with his email address post officey or the phone number associated with his Facebook account.
Once these two entries have been entered, the user will receive a six-digit SMS code that will enter the password reset form to allow him / her to access a page where he / she can change the password of his / her account.
If someone ever attempts to guess this six-digit code from Facebok's facebook facebook.com, 10 or 12 invalid attempts will be blocked.
Mr. Prakash discovered that this brute-force protection limit was not active on Facebok's beta platform, accessible from beta.facebook.com.
It's the platform Facebook uses to test news characteristics before making them available to the general public through the main platform.
So, using a simple brute-force tool, Mr. Prakash was able to discover the six-digit code he needed to access each account.
Through a simple script, the researcher tested all the possible combinations until he guessed the correct six-digit code. Everything else was easy.
The researcher discovered the matter on February 22, reported it on Facebook, and the company fixed it the next day.
Below is the PoC video posted by the researcher.