Facebook rewards researcher with $20,000 for exposing major security flaw

A Brit man has been awarded $20,000 for bringing to notice a major Facebook security flaw that could’ve potentially compromised accounts on the social networking service. The reward given to him was part of Facebook’s White Hat bounty programme.

Application Security Researcher Jack Whitton discovered the existence of a Facebook bug that lets you take over any account on the website without any user interaction. He informed Facebook of this flaw on May 23 and the issue was fixed in less than a week’s time.

Crisis averted!

The issue here was that Facebook allows users the option to link their mobile numbers with their accounts and it allows them to receive updates via SMS. It also enables users to login using their numbers instead of email address.

“The flaw lies in the /ajax/settings/mobile/confirm_phone.php end-point. This takes various parameters, but the two main are code, which is the verification code received via your mobile, and profile_id , which is the account to link the number to,” writes Whitton . “This takes various parameters, but the two main are code, which is the verification code received via your mobile, and profile_id , which is the account to link the number to. The thing is, profile_id is set to your account (obviously), but changing it to your target’s doesn’t trigger an error.”

Essentially, this code needed to be entered into the form, a new password chosen and the account was compromised. The flaw could potentially have compromised accounts to turn them into phishing baits.

Facebook honours White Hats who dig out bugs and security flaws in order to help patch them up. The social networking website rewarded and thanked Whitton for averting a major disaster.