Facebook paid $ 15,000 for finding a vulnerability that allowed changing any user’s password
Independent Indian security specialist Anand Prakash discovered an unpleasant vulnerability on the Facebook social network , which made it possible to easily select a user's password and gain full access to his account. Due to the severity of the vulnerability, Facebook paid the specialist $ 15,000 for the valuable information under the reward program.
For the sake of interest, Anand investigated the password recovery form, during the use of which a 6-digit confirmation code is sent to the phone or email specified by the user. In the usual case, a million combinations of a 6-digit code cannot be sorted, because the page blocks attempts to enter the wrong code more than 10 times.
However, after checking the password recovery form on beta.facebook.com and mbasic.beta.facebook.com, Anand made sure that programmers forgot to set password restrictions on them. These sites are used for beta testing new functionalities, which then appear on the main site.
As a result, the programmer managed to “hack” his own account by selecting a 6-digit verification code (according to Facebook rules, you can’t hack the accounts of other users even for research purposes).
In a simple HTTP request
POST /recover/as/code/ HTTP/1.1
Host: beta.facebook.com
lsd=AVoywo13&n=XXXXX
the parameter n changed and the values of the 6-digit code were sequentially substituted. Just 10 days after sending the message on Facebook, Anand received a notification of the award of the prize.
The award found a hero