Get All Access for $5/mo

How This Indian Bug-Bounty Hunter Hacked 1.6 Billion Facebook Accounts In exchange for not misusing the exploit and directly reporting it to Facebook, Zuckerberg's team rewarded him 10.5 lac rupees!

By Rustam Singh

Opinions expressed by Entrepreneur contributors are their own.

You're reading Entrepreneur India, an international franchise of Entrepreneur Media.

NuOilSuwannar / Shutterstock

Bug Bounty Hunting – the profession of ethical or "White hat" hackers who intentionally hack into servers and companies websites with the hope to find an exploit are finally receiving the popularity they deserve. One such bounty Hunter famous bug bounty hunter is Bangalore based Anand Prakash who managed to track a bug on Facebook.com that gained him unfiltered complete access to every Facebook user, or almost 1 billion profiles. Fortunately for Mark Zuckerberg, instead of going rougue and exploiting the bug to cause havoc, steal private images, conversations, credit card details and harass/blackmail anyone, he immediately reported the bug to Facebook's bug reporting team. In exchange for his work, Facebook instantly rewarded him US$ 15,000 or more than 10 lac rupees!

The bug

The vulnerability was relatively easy to exploit but had a massive impact. Whenever a user forgets his password on Facebook, he has an option to reset the password by entering his phone number/ email address on https://www.facebook.com/login/identify?ctx=recover&lwv=110

Facebook then sends a 6 digit code on the user's phone number/email address which user has to enter in order to set a new password. To prevent brute force attacks (where a computer keeps trying every logical combination of numbers on the login page till eventually reaching the correct password), Facebook has limited 10-12 attempts per account before waiting. Exploiting this, Anand gained access to any account on Facebook.

The exploit

Brute force protection was valid only on the main homepage, facebook.com. However a alternate URL, beta.facebook.com and mbasic.beta.facebook.com did not have the same protection. Exploiting this, he brute forced his way to gain access to any account at all by resetting their password. The newly set password could be used to login any account.

Impact

Facebook reacted immediately and fixed the bug within few hours. Just one week later, Anand received the confirmation and in light of the extremely crucial exploit, decided to reward him the bounty.

Anand has previously exposed several bugs in popular websites, including hacking 62.5 million Zomato users as well as deleting any note from any user's account for which he was awarded 2500US$ and forced unstoppable spamming of Facebook.com/thanks posting on behalf of any of your friends. He was awarded 12,500 US$ for exploiting this bug.

Anand Prakash (Image source: http://www.anandpraka.sh)

As you can see ethical hacking is an extremely value able profession and businesses can gain a lot from voluntarily encouraging users to find out bugs before unethical hackers find the same bug. They can save millions in data loss apart from losing the trust of millions of users. Entrepreneurs, start-ups and businesses should be encouraged to reward generously to bug bounty hunters. Does your start-up have a bug reporting reward system? Let us know in the comments on our official Facebook page, Entrepreneur India

Rustam Singh

Sub-Editor- Entrepreneur.com

Tech reporter.

Contact me if you have a truly unique technology related startup looking for a review and coverage, especially a crowd-funded project looking to launch and coverage.

Social Media

Five Indian film producers are exploring business beyond cinema

Very recently, the Ahmedabad-based ice cream brand Hocco raised funds, and among many, they have two angel investors from Bollywood: Farhan Akhtar and Ritesh Sidhwani. From Karan Johar to Alia Bhatt, Rana Daggubati to Ronnie Screwvala, there are film producers who are expanding their horizons as business visionaries by investing in different sectors. Here we take a look at some of such personalities.

Starting a Business

I Left the Corporate World to Start a Chicken Coop Business — Here Are 3 Valuable Lessons I Learned Along the Way

Board meetings were traded for barnyards as a thriving new venture hatched.

Growth Strategies

AMD Confident About Increasing Market Share In India

The semiconductor company is positive about the business environment in India on the back of growing investments in data centers and AI, Cloud repatriation, as well as technology refresh taking place across companies on both server side and client devices

Business News

'We Pulled Off An SEO Heist': Entrepreneur Stole 3.6 Million Pageviews From Competitors — And Your Business Could Be Next.

This has huge implications for businesses that rely on Google's organic traffic for revenue.

Business News

Wells Fargo Reportedly Fired More Than a Dozen Employees for Faking Keyboard Activity

The bank told Bloomberg that it "does not tolerate unethical behavior."

Innovation

The Key to Real Innovation Is Cross-Pollination — Here Are 10 Ways to Implement It in Your Business

Transform your business with this unique approach to sparking innovation.