July 21st, 2015
A British security researcher recently uncovered a bug allowing him to take over someone else’s Facebook account via text message, a vulnerability that could have compromised millions of profiles. The researcher reported it to Facebook and earned a $20,000 reward from the company.
Jack Whitton, an application security engineer who also works as a security researcher in his spare time, discovered the bug on May 23. Whitton found that he could trick Facebook into sending him a password reset code for another user’s account, potentially allowing him to hijack the account of anyone who had a profile linked to their cellphone number. He immediately reported the bug to Facebook, and it was fixed five days later.
In a post on his blog, Whitton explains how he uncovered the bug: He found an exploit in the mobile verification process that allowed him to ask for a password reset by entering a user’s Facebook ID without triggering an error.
“We enter this code into the form, choose a new password, and we’re done. The account is ours,” he wrote.
The flaw could have potentially allowed malicious hackers to steal personal information, send out spam or engage in phishing attacks.
Facebook rewarded Whitton with $20,000 as part of its bug bounty program, which encourages white-hat hackers — hackers who find vulnerabilities but report them instead of exploiting them — to flag bugs.
[via Insert site]
Register for an account it’s free to participate in the discussion or share your thoughts in the Facebook.
Security Researcher Earns $20,000 for Uncovering Major Facebook Bug,