Facebook paid $ 15,000 for finding a vulnerability that allowed changing any user's password.

Anand Prakash, an independent Indian security specialist, discovered an unpleasant vulnerability on Facebook social networking site that allowed brute force to find a user's password and get full access to his account. Due to the severity of the vulnerability, Facebook paid a specialist for valuable information $ 15,000 for a reward program.

For the sake of interest, Anand investigated a password recovery form, during which a 6-digit confirmation code is sent to the phone or email specified by the user. In the usual case, a million combinations of a 6-digit code cannot be iterated, since the page blocks attempts to enter the wrong code more than 10 times.
')
However, by checking the password recovery form on beta.facebook.com and mbasic.beta.facebook.com, Anand made sure that programmers forgot to set passwords restrictions on them. These sites are used to beta test new functionalities that then appear on the main site.

As a result, the programmer managed to “hack” his own account, picking up a 6-digit confirmation code (according to Facebook’s rules, it is impossible to hack other users' accounts, even for research purposes).

In a simple HTTP request

POST /recover/as/code/ HTTP/1.1 Host: beta.facebook.com lsd=AVoywo13&n=XXXXX 

the parameter n was changed and the values ​​of the 6-digit code were sequentially substituted. Just 10 days after the posting to Facebook, Anand received a notification about awarding a prize.


Award found a hero