Facebook hack: Bug let hackers into anyone’s account
An Indian security researcher has been given a $15,000 reward for finding the problem
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.A bug in Facebook let people hack into anyone’s account.
The hack allowed people to keep guessing at a users’ password until they gained access. Usually, sites like Facebook prevent people from doing so by locking accounts after a number of tries, but a bug in the way the site works allowed people to get around that.
Because of the problem, users could have set a computer programme to keep trying different passcodes until they gained access. Once in, they could have changed the password and permanently prevented access, as well as getting to credit card details and personal messages and photos.
A security researcher in India found the bug. Anand Prakash received $15,000 from Facebook as part of its bug bounty programme — though the flaw was relatively simple, the large amount of money is thought to be a result of the huge potential problems it could have caused.
The vulnerability used the way that Facebook allows people to get into their account if they have lost their password. If that happens, the site allows users to reset their login by entering a phone number or email address, to which Facebook will send a code that can be used instead of the password.
On the main Facebook site, people are prevented from entering that code too many times because the site will bring up a block. Mr Prakesh said that he tried entering random codes on the site and was usually stopped after 10 or 12 attempts.
But on Facebook’s beta site — a version that is usually used by developers — that check was missing. Mr Prakash found that he could reset his own password without ever receiving the code.
The problem has now been fixed by Facebook.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments