Bloke pockets $15k for spotting Facebook password-reset blunder

Beta site security bug squished

Got Tips? 3 Reg comments

Facebook has slung US$15,000 in the direction of Anand Prakesh for discovering a serious bug on its beta servers.

Late in February, Prakesh writes, he discovered that the company's beta sites didn't rate limit the PINs used for password resets.

If you request a password reset via a PIN sent to your phone, after 10 or 12 invalid attempts the attacker is blocked.

However, he writes, the same didn't apply to or – and that made it trivial to write a script to brute-force the 6-digit PIN.

No terms of service were harmed in the making of the attack though, since Prakash attacked his own account, as shown in this video.

Youtube Video

Here's the vulnerable request Prakash put in his notification to Facebook.

POST /recover/as/code/

HTTP/1.1 Host:


“Brute forcing the "n" successfully allowed me to set [a] new password for any Facebook user”, he writes. Facebook has now patched the bug. ®

Sponsored: Webcast: Discover and secure all of your attack surface


Biting the hand that feeds IT © 1998–2020