Bengaluru security analyst Anand Prakash has earned $15000 from the Facebook's bug bounty program for finding a vulnerability. The bug could have threatened a lot of accounts as it was related to the password system of Facebook.
The security threat allowed hackers to brute force password of any account through the beta websites of Facebook. Had it been found by a hacker with malicious intent a lot of user data would have been at the stake. Hackers could have seen all the information related to the accounts including personal details, photographs and even payment details tied up with the Facebook account.
Prakash said on his blog post that, "Facebook acknowledged the issue promptly, fixed it and rewarded $15,000 USD considering the severity and impact of the vulnerability". He also explained the bug saying, "Facebook sends a 6 digit passcode to the phone if you forget the password. After 10-12 tries you are blocked from attempting the login".
"However I tried to recreate the same issues on the Facebook Beta channels beta.facebook.com and mbasic.beta.facebook.com and there was no limit for trying. I tried to takeover my account ( as per Facebook's policy you should not do any harm on any other users account) and was successful in setting a new password for my account. I could then use the same password to login in the account.", he added. This meant that any hacker could have written a program to automatically try all the 6 digit passcode combinations to hack into any account.
Prakash who works in Flipkart as a security analyst sent this bug on 22 February and Facebook sent him a message on 23 February to test the bug fix. This is not his first reward for hunting bugs. He has submitted 80 bugs to Facebook till now. And through bug bounty programs he has earned almost ₹1 crore.
Facebook launched their bug bounty program in 2011 encouraging people to find vulnerabilities and report them to Facebook so they can create a more secure website. The program has rewarded $4.3 million to 800 researchers across the globe. And notably, in 2015, India was the country whose security researchers earned the highest payout. Even Indian startups like Ola cabs have started a bug bounty program after they were hacked in 2015.