Bengaluru-based hacker, Anand Prakash, says he has received $15,000 (approximately Rs 10 lakh) from Facebook for reporting a bug that could have put the social network’s 1.6 billion users at risk.
In a blog post, Prakash writes that on February 22, he had found a simple vulnerability that could have been used to hack into any user’s Facebook account to get access to credit or debit card details, personal pictures, and messages without any user interaction.
This is only the latest in a string of bugs that Prakash has reported over the past nearly three years. The 22-year-old, who works at Flipkart as a security engineer, describes himself as a ‘bug bounty’ hunter, and says he has earned around Rs 1.2 crore just by reporting bugs for Facebook, Twitter and a host of other US-based companies.
Prakash says he was among Facebook’s top three bug reporters in 2014. “I started doing this after completing my graduation in BTech. I have so far reported 90 bugs for Facebook and around 30 for Twitter,” he says. His LinkedIn profile mentions Google, RedHat, Dropbox, Adobe, eBay and PayPal as others who have rewarded him for reporting security vulnerabilities.
Prakash is what is called a ‘white hat hacker’, who unlike ‘black hat hackers’, do not use the vulnerabilities they find for personal gain and disclose the matter to the public only after receiving permission from the company concerned. Prakash said that in India, there aren’t many white hat hackers because of the lack of interest on the part of Indian companies. “Indian companies don’t pay attention to their security. It’s better for us to help US-based companies,” he says.
In the latest instance, Prakash found that when a user forgets his/her Facebook password, they are required to enter their email id to get a fresh six-digit code to log in to the Facebook account. The user is then given 10-12 tries to enter the combination, failing which they are denied access. However Facebook’s beta website, which is used by engineers, did not have this restriction and allowed unlimited number of password combinations, says Prakash.
“On this site, I could try as many times as I wanted. I used the brute force algorithm method which allowed me to try the combinations from 0 to 9 on the six-digit code. This was a bug which could be exploited by anyone,” Prakash says. ‘Brute force algorithm’ is a technique used to decode encrypted data through trial and error.
Facebook, he says, responded within a few hours and awarded the bounty reward for his effort. This was done through Facebook’s Bug Bounty Program (BBP), which was launched in 2011 to encourage people to report security vulnerabilities found on Facebook.
Although mails to Facebook remained unanswered at the time of going to press, according to a report released by Facebook last month, BBP has received more than 2,400 valid submissions and doled out over $4.3 million as reward money to 800 researchers around the world, since its launch. India, a Facebook report says, was the largest contributor in reporting valid bugs.
(Article originally appeared on Times of India)
(All images belong to their respective owners)