Facebook pays $15,000 bounty to close bug that can access any user’s account

By Saqib Shah Published March 8, 2016

facebook jobs tab woman using — Image used with permission by copyright holder

A major flaw in Facebook’s account security has been brought to light by a security researcher, who has received a cool $15,000 payout from the social network for his efforts.

Anand Prakash spotted the flaw, which allowed him access to any user’s account on the platform, last month. The bug was related to the Facebook account reset process, which results in the site sending a six-digit PIN to a user’s phone to be used as a temporary password.

Usually, the individual resetting an account is granted approximately 10-12 wrong password guesses. Prakash noticed that those security measures were missing from the Facebook beta site for developers, where every single user account is also readily available. Consequently, the bug allowed Prakash to seemingly flood the site with PIN guesses, and hack into any account he wanted.

Instead of exploiting the flaw, however, Prakash notified Facebook through its report vulnerability page. The following day, the social network confirmed that the bug occurred due to a change to the beta page a few days earlier. Although Facebook assures that the flaw was not misused in that time frame, it still felt compelled to pay the $15,000 bug bounty to Prakash.

The resulting award and Facebook’s rapid response in stamping out the bug hints at the major risk involved. It may not have been the most complicated security issue, but it could have resulted in complete chaos if utilized through the site’s main page.

“One of the most valuable benefits of bug bounty programs is the ability to find problems even before they reach production,” Facebook said in a statement to The Verge. “We’re happy to recognize and reward Anand for his excellent report.”

Since its inception, Facebook’s bug bounty program has forked out over $4 million to hackers and security researchers for responsibly disclosing issues in its system.

Topics

Former Digital Trends Contributor

Saqib Shah is a Twitter addict and film fan with an obsessive interest in pop culture trends. In his spare time he can be…

Social Media

Bluesky barrels toward 1 million new sign-ups in a day

Social media app Bluesky has picked nearly a million new users just a day after exiting its invitation-only beta and opening to everyone.

In a post on its main rival -- X (formerly Twitter) -- Bluesky shared a chart showing a sudden boost in usage on the app, which can now be downloaded for free for iPhone and Android devices.

Computing

How to make a GIF from a YouTube video

woman sitting and using laptop

Sometimes, whether you're chatting with friends or posting on social media, words just aren't enough -- you need a GIF to fully convey your feelings. If there's a moment from a YouTube video that you want to snip into a GIF, the good news is that you don't need complex software to so it. There are now a bunch of ways to make a GIF from a YouTube video right in your browser.

If you want to use desktop software like Photoshop to make a GIF, then you'll need to download the YouTube video first before you can start making a GIF. However, if you don't want to go through that bother then there are several ways you can make a GIF right in your browser, without the need to download anything. That's ideal if you're working with a low-specced laptop or on a phone, as all the processing to make the GIF is done in the cloud rather than on your machine. With these options you can make quick and fun GIFs from YouTube videos in just a few minutes.
Use GIFs.com for great customization
Step 1: Find the YouTube video that you want to turn into a GIF (perhaps a NASA archive?) and copy its URL.

Social Media

I paid Meta to ‘verify’ me — here’s what actually happened

In the fall of 2023 I decided to do a little experiment in the height of the “blue check” hysteria. Twitter had shifted from verifying accounts based (more or less) on merit or importance and instead would let users pay for a blue checkmark. That obviously went (and still goes) badly. Meanwhile, Meta opened its own verification service earlier in the year, called Meta Verified.

Mostly aimed at “creators,” Meta Verified costs $15 a month and helps you “establish your account authenticity and help[s] your community know it’s the real us with a verified badge." It also gives you “proactive account protection” to help fight impersonation by (in part) requiring you to use two-factor authentication. You’ll also get direct account support “from a real person,” and exclusive features like stickers and stars.