A
hacker in India has revealed how he found a way to break into any
Facebook user’s profile, before alerting the social network to the issue
and being rewarded for his work.
Anand
Prakash is a security engineer in Bangalore who posted to his blog a
piece entitled “How I could have hacked all Facebook accounts”, which
detailed how he had discovered a way to exploit the ‘forgot password?’
section of the site and force his way into any account.
The
forgotten password section of Facebook works as follows: if you forget
your log-in, the site will email or text you a verification code in
order to gain access to your profile. In order to protect this process
from hackers, Facebook places what is known as rate-limiting on the
codes, meaning that you have a limited number of chances to input the
code Facebook sends you.
This
prevents hackers using what’s known as a brute-force attack, using
software to continuously enter numbers until it gets the right one.
What
Prakash discovered was that Facebook beta sites did not in fact have
the rate-limiting feature in place, so you had an infinite number of
chances to try to log-in. This is how Prakash got in.
The
fallout if this were to happen for real is potentially immense when you
think of the amount of detail that is stored on your Facebook profile –
in many cases it includes payment information.
Having
discovered the weakness, Prakash says he reported it to Facebook on
February 22. On March 2, he was awarded $15,000 (£10,500) by the social
network for his troubles.
Facebook
has not officially confirmed the incident, though images from Prakash’s
blog suggest communication took place, and similar rewards have been
handed out in the past.
No comments:
Post a Comment