This article is more than 1 year old
Bloke pockets $15k for spotting Facebook password-reset blunder
Beta site security bug squished
Facebook has slung US$15,000 in the direction of Anand Prakesh for discovering a serious bug on its beta servers.
Late in February, Prakesh writes, he discovered that the company's beta sites didn't rate limit the PINs used for password resets.
If you request a password reset via a PIN sent to your phone, after 10 or 12 invalid attempts the attacker is blocked.
However, he writes, the same didn't apply to beta.facebook.com or mbasics.beta.facebook.com – and that made it trivial to write a script to brute-force the 6-digit PIN.
No terms of service were harmed in the making of the attack though, since Prakash attacked his own account, as shown in this video.
Here's the vulnerable request Prakash put in his notification to Facebook.
POST /recover/as/code/
HTTP/1.1 Host: beta.facebook.com
lsd=AVoywo13&n=XXXXX
“Brute forcing the "n" successfully allowed me to set [a] new password for any Facebook user”, he writes. Facebook has now patched the bug. ®
Biting the hand that feeds IT
