Facebook Rewards Hacker Who Could Have Hacked Lots Of Facebook

Anand Prakash, a hacker, programmer and researcher who detected a bug on Facebook that makes it possible to takeover a Facebook account by using forceful brute on beta.facebookcom, has now since been rewarded by Facebook with a sum of $15,000.
See video below explaining how it works and did it.

He said “Whenever a user Forgets his password on Facebook, he has an option to reset the password by entering his phone number/ email address on https://www.facebook.com/login/identify?ctx=recover&lwv=110
,Facebook will then send a 6 digit code on his phone number/email address which user has to enter in order to set a new password. I tried to brute the 6 digit code on www.facebook.com and was blocked after 10-12 invalid attempts.

Then i looked out for the same issue on beta.facebook.com and mbasic.beta.facebook.com and interestingly rate limiting was missing on forgot password endpoints. I tried to takeover my account ( as per Facebook’s policy you should not do any harm on any other users account) and was successful in setting new password for my account. I could then use the same password to login in the account.

Reward

Screen Shot 2016-03-07 at 5.41.45 pm