Bloke pockets $15k for spotting Facebook password-reset blunder

Beta site security bug squished

Facebook has slung US$15,000 in the direction of Anand Prakesh for discovering a serious bug on its beta servers.

Late in February, Prakesh writes, he discovered that the company's beta sites didn't rate limit the PINs used for password resets.

If you request a password reset via a PIN sent to your phone, after 10 or 12 invalid attempts the attacker is blocked.

However, he writes, the same didn't apply to beta.facebook.com or mbasics.beta.facebook.com – and that made it trivial to write a script to brute-force the 6-digit PIN.

No terms of service were harmed in the making of the attack though, since Prakash attacked his own account, as shown in this video.

Youtube Video

Here's the vulnerable request Prakash put in his notification to Facebook.

POST /recover/as/code/

HTTP/1.1 Host: beta.facebook.com

lsd=AVoywo13&n=XXXXX

“Brute forcing the "n" successfully allowed me to set [a] new password for any Facebook user”, he writes. Facebook has now patched the bug. ®

Sponsored: Becoming a Pragmatic Security Leader




Biting the hand that feeds IT © 1998–2019