A hacker in India has revealed how he found a way to break into any Facebook user’s profile, before alerting the social network to the issue and being rewarded for his work.
Anand Prakash is a security engineer in Bangalore who posted to his blog a piece entitled “How I could have hacked all Facebook accounts”, which detailed how he had discovered a way to exploit the ‘forgot password?’ section of the site and force his way into any account.
The forgotten password section of Facebook works as follows: if you forget your log-in, the site will email or text you a verification code in order to gain access to your profile. In order to protect this process from hackers, Facebook places what is known as rate-limiting on the codes, meaning that you have a limited number of chances to input the code Facebook sends you.
This prevents hackers using what’s known as a brute-force attack, using software to continuously enter numbers until it gets the right one.
What Prakash discovered was that Facebook beta sites did not in fact have the rate-limiting feature in place, so you had an infinite number of chances to try to log-in. This is how Prakash got in.
The fallout if this were to happen for real is potentially immense when you think of the amount of detail that is stored on your Facebook profile – in many cases it includes payment information.
Having discovered the weakness, Prakash says he reported it to Facebook on February 22. On March 2, he was awarded $15,000 (£10,500) by the social network for his troubles.
Facebook has not officially confirmed the incident, though images from Prakash’s blog suggest communication took place, and similar rewards have been handed out in the past.