INDIAN Researcher found a new way to Hack Facebook! Got $15,000 from FB as reward!

Anand Prakash is a “Bangalore” based security researcher from INDIA. He discovered a vulnerability in Facebook password reset procedure. According to Anand, that vulnerability allowed him to reset password of any Facebook account by performing brute force attack. Hackers can exploit this vulnerability to reset the password of any account.

Anand told about it by writing a blog post, in which he said that i have found a vulnerability in Facebook and hackers can exploit this vulnerability to reset the password of any account. During test, I got the full access of an account and all private photos, messages were in front of me on my computer's screen. Credit card information was also available under payment section. Facebook reward me with 15,000 US Dollars and this vulnerability has been fixed by Facebook now.

What he had done?

Anand found this vulnerability in “Forgot Password” technique used by Facebook. A normal Facebook user clicks on this when he forgot his password and he has to reset his password. In forgot password procedure, Facebook sends a code of 6 Digits on the mobile or email address of user. User can reset his password by entering this 6 Digit code.

Anand found that, a brute force attack is possible here to by pass this step. When he was discovering bug in “Forgot Password” procedure, he came to know that 12 wrong attempts are possible before locked out of Facebook account.

He also tried this on the beta pages of Facebook. “beta.facebook.com” and “mbasic.beta.facebook.com” are the beta pages of Facebook and both were also vulnerable to this attack. There was no limit on the number of attempts. This absence of limit attempts allowed him to do brute force and he was able to reset the password of Facebook account.

On February 22, 2016, Anand reported about this vulnerability to Facebook and on February 23, 2016 it was fixed by Facebook. Facebook also gave him 15,000 US Dollar as per their Bug Bounty Reward list.