Facebook launched its bug bounty program in 2011 and it’s aim is to pay bounties to researchers who discover any security flaws and report it to them. To-date the company has received over 2,400 valid submissions and has awarded over $4.3 million to over 800 researchers the world over. The highest payout was recorded recently to a security researcher named Anand Prakash.
Just last month, Anand prakash had stumbled on the major flaw in Facebook’s account security which would have allowed anyone to break into user accounts. When a Facebook account is reset, Facebook sends a six digit PIN to the user’s phone and that PIN then becomes the user’s temporary password while the account is reset. Facebook often cuts people off after ten or twelve bad guesses but Anans Prakash noticed that those same precautions were missing on beta.facebook.com. The site; beta.facebook.com is where developers deploy new features that are not yet ready for the main site; facebook.com and every single account is available on beta.facebook.com as well.
This discovery meant that the beta page could be flooded with PIN guesses, effectively allowing anyone break into any account they wanted. The bug was the result of a change added to the beta page a few days before Prakash discovered the hitch, and does not seem to have been widely exploited before it was discovered by him.
Prakash sent in his find through Facebook’s report vulnerability page and Facebook confirmed that it had been fixed the very next day. They also rewarded him eight days later with $15,000 for reporting the issue. the payout shows that more than the complexity of the bug, Facebook’s White hat page isn’t joking when it bases the payouts on risk, impact, and other factors. The change that Prakash discovered is shared on Facebook could have triggered widespread attacks on user accounts, ranking the bug high on the risk index.
Facebook said in a statement; “One of the most valuable benefits of bug bounty programs is the ability to find problems even before they reach production…We’re happy to recognize and reward Anand for his excellent report.” So incase you have some free time on your hand and are a little tech savvy, you can go hunting for some faults in Facebook’s security and join in reaping the benefits of the bug bounty programme.