Get All Access for $5/mo

How This Indian Bug-Bounty Hunter Hacked 1.6 Billion Facebook Accounts In exchange for not misusing the exploit and directly reporting it to Facebook, Zuckerberg's team rewarded him 10.5 lac rupees!

By Rustam Singh

Opinions expressed by Entrepreneur contributors are their own.

You're reading Entrepreneur India, an international franchise of Entrepreneur Media.

NuOilSuwannar / Shutterstock

Bug Bounty Hunting – the profession of ethical or "White hat" hackers who intentionally hack into servers and companies websites with the hope to find an exploit are finally receiving the popularity they deserve. One such bounty Hunter famous bug bounty hunter is Bangalore based Anand Prakash who managed to track a bug on Facebook.com that gained him unfiltered complete access to every Facebook user, or almost 1 billion profiles. Fortunately for Mark Zuckerberg, instead of going rougue and exploiting the bug to cause havoc, steal private images, conversations, credit card details and harass/blackmail anyone, he immediately reported the bug to Facebook's bug reporting team. In exchange for his work, Facebook instantly rewarded him US$ 15,000 or more than 10 lac rupees!

The bug

The vulnerability was relatively easy to exploit but had a massive impact. Whenever a user forgets his password on Facebook, he has an option to reset the password by entering his phone number/ email address on https://www.facebook.com/login/identify?ctx=recover&lwv=110

Facebook then sends a 6 digit code on the user's phone number/email address which user has to enter in order to set a new password. To prevent brute force attacks (where a computer keeps trying every logical combination of numbers on the login page till eventually reaching the correct password), Facebook has limited 10-12 attempts per account before waiting. Exploiting this, Anand gained access to any account on Facebook.

The exploit

Brute force protection was valid only on the main homepage, facebook.com. However a alternate URL, beta.facebook.com and mbasic.beta.facebook.com did not have the same protection. Exploiting this, he brute forced his way to gain access to any account at all by resetting their password. The newly set password could be used to login any account.

Impact

Facebook reacted immediately and fixed the bug within few hours. Just one week later, Anand received the confirmation and in light of the extremely crucial exploit, decided to reward him the bounty.

Anand has previously exposed several bugs in popular websites, including hacking 62.5 million Zomato users as well as deleting any note from any user's account for which he was awarded 2500US$ and forced unstoppable spamming of Facebook.com/thanks posting on behalf of any of your friends. He was awarded 12,500 US$ for exploiting this bug.

Anand Prakash (Image source: http://www.anandpraka.sh)

As you can see ethical hacking is an extremely value able profession and businesses can gain a lot from voluntarily encouraging users to find out bugs before unethical hackers find the same bug. They can save millions in data loss apart from losing the trust of millions of users. Entrepreneurs, start-ups and businesses should be encouraged to reward generously to bug bounty hunters. Does your start-up have a bug reporting reward system? Let us know in the comments on our official Facebook page, Entrepreneur India

Rustam Singh

Sub-Editor- Entrepreneur.com

Tech reporter.

Contact me if you have a truly unique technology related startup looking for a review and coverage, especially a crowd-funded project looking to launch and coverage.

News and Trends

FinX and FirstClub Raise Early-Stage Funding

The startups listed below have disclosed investment rounds.

News and Trends

Uber Launches Moto Women in Bengaluru, Connecting Female Riders with Female Drivers

Uber Moto Women aims to ensure safety with real-time trip sharing, anonymised contact details, and RideCheck monitoring for irregularities. It also offers 24x7 priority support via Uber's Safety Helpline for women riders and drivers.

News and Trends

Talent, Digital Infra, Policy, and Startups Driving India's GCC Ecosystem

By leveraging its demographic dividend and evolving policies, India is uniquely positioned to become the preferred choice for global enterprises seeking scalability, resilience, and a future-ready operational base.

Growth Strategies

Indian Graduates' Employability Rate Reaches 54.81 per cent: Report

By addressing regional disparities, fostering gender diversity, and equipping graduates with both technical and soft skills, stakeholders can harness the full potential of the nation's workforce.

News and Trends

Recur Club Announces Credit Offerings for Startups Beyond Series A and SMEs

In FY 24–25, the platform also plans to deploy an additional INR 2000 crores through its Recur Swift program for startups.

News and Trends

Kalaari Capital's CXXO Initiative Sheds Light on Women Entrepreneurs' Struggles

The report highlights key findings on the gender funding gap, unconscious biases, and the resilience of women entrepreneurs.