Bengaluru hacker, Prakash Anand awarded by Facebook with Rs 10 lakh approximately $15000 after finding login system bug. The bug could let hacker’s access user personal information which include personal chat, pictures and even credit/debit cards details stored in payment section.
Prakash Anand awarded Rs 10 lack after finding Facebook bug
Prakash works as a security analyst at Flipkart, he also mentioned all the conversation in his blog. He send the email to Facebook team on 22nd February 2016 and received confirmation messages from the team says, verified the fix from our end. Finally he awarded $15000 from Facebook team as seen the below image.
Prakash Anand wrote the following, on his Blog
Whenever a user Forgets his password on Facebook, he has an option to reset the password by entering his phone number/ email address on https://www.facebook.com/login/identify?ctx=recover&lwv=110
,Facebook will then send a 6 digit code on his phone number/email address which user has to enter in order to set a new password. I tried to brute the 6 digit code on www.facebook.com and was blocked after 10-12 invalid attempts.
Then i looked out for the same issue on beta.facebook.com and mbasic.beta.facebook.com and interestingly rate limiting was missing on forgot password endpoints. I tried to takeover my account ( as per Facebook’s policy you should not do any harm on any other users account) and was successful in setting new password for my account. I could then use the same password to login in the account.
After review his message Facebook team reply at email saying,
After reviewing the issue you have reported, we have decided to award you a bounty of $15000 USD. We fulfill our bounties through https://bugbountypayments.com/
If you have not registered on https://bugbountypayments.com/
To properly collect your bounty, you will need to reply to this email with the following information:
– First name
– Last name
– Email address (this is where we will send the registration email)