Facebook fixes bug in beta site that allowed accounts to be hijacked
Due to a bug in Facebook’s beta site, it was possible to enter a password reset code an unlimited number of times. With simply the phone number or email address of a member of the social network, the six-digit code could be retrieved via bruteforce.
If you forget your password on Facebook, you can reset it by entering your phone number or email address. Facebook then sends a six-digit reset code for authentication. After 10 to 12 incorrect entries, that code expires, to prevent a malicious person from bruteforce trying all possible codes and changing the password without authorization.
However, at beta.facebook.com and mbasic.beta.facebook.com, there appeared to be no limit to the number of times that code entered, Anand Prakash, an Indian ‘bug bounty hunter’ discovered. Using the Burp Repeater tool, he managed to find the correct reset code to change the password of his own account after numerous attempts. According to him, this could have been done with any account.
Facebook acknowledged the error, corrected it and awarded Prakash $15,000 for his discovery.