How I could have hacked any Facebook account

Frankly I think the amount being award by these companies is minuscule when you compare it to the amount of damage this information could have caused Facebook in the wrong hands.

BTW - Anand is a security engineer working for Flipkart and is one if India&#x27;s smartest security experts. This is not the first time he has found bugs.<p><a href="http:&#x2F;&#x2F;yourstory.com&#x2F;2015&#x2F;10&#x2F;techie-tuesdays-anand-prakash&#x2F;" rel="nofollow">http:&#x2F;&#x2F;yourstory.com&#x2F;2015&#x2F;10&#x2F;techie-tuesdays-anand-prakash&#x2F;</a>

Good reminder here that <i>all</i> publicly-visible services are part of your overall attack surface, including beta sites and other things you never expect people to look at. The DROWN vulnerability from last week was similar: people disabled SSLv2 on their web servers, but not their mail servers.<p>Very nice find: super simple but super effective. I&#x27;m glad Facebook paid up promptly.

This has me thinking about another possible attack. Say I don&#x27;t want to hack all of Facebook or a specific account. What if I used a botnet to reset passwords and then use the six attempts randomly on each account I reset. Sure I&#x27;d only get a small percentage but, I would easily start hacking FB accounts. It&#x27;s things like this that make me use 2FA as much as possible on personal data.

A great example of responsible disclosure, and the company acknowledging, fixing and rewarding the bug and finder. Great job to both Facebook and Anand.

How do companies evaluate the severity and impact of the vulnerability? I don&#x27;t work in security, but it seems like this is worth more than $15,000.

For these individual hardworking security analysts, Facebook awarding cash prices of &quot;any real value&quot; is much worth than some news article reporting it as &quot;...simple security flaw...&quot;.<p><a href="http:&#x2F;&#x2F;www.zdnet.com&#x2F;article&#x2F;facebook-fixes-simple-security-flaw-which-let-you-take-over-any-account&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.zdnet.com&#x2F;article&#x2F;facebook-fixes-simple-security-...</a>

A whole $15k? This could have cost them hundreds of thousands if not millions in lawsuits. That&#x27;s a pretty crappy incentive, I&#x27;d imagine a lot less moral security researchers getting exponentially more money out of something like this by just selling the 0day.<p>I wonder why the reward is so low. This is literally the amount a code monkey gets paid after 3-5 months of work with minimal skills.

On the subject of rate limiting, what is the best way to apply it across all endpoints, APIs and resources, external and internal, with minimal effort?<p>Usually, I see this implemented only as an afterthought, and only on endpoints deemed &#x27;dangerous&#x27;, waiting for a disaster like this to happen...

<p><pre><code> beta.facebook.com and mbasic.beta.facebook.com </code></pre> Certificate Transparency has an interesting impact on some of the less-public servers.<p><a href="https:&#x2F;&#x2F;crt.sh&#x2F;?q=%25.facebook.com" rel="nofollow">https:&#x2F;&#x2F;crt.sh&#x2F;?q=%25.facebook.com</a><p>A host of servers turn up in that list, which may similarly be less security tested than the main facebook.com site.

Anyone know what tool he was using in the YouTube video? This stuff is super interesting.

Regardless of this being Facebook or not, but forget to throttle your API and this is what you get, some dude toying around with a tool just to poke holes in your thing, but I digress.<p>If in any twisted, unrealistic, straight out of Homeland scenario where anyone high profile enough would make use of this &quot;vulnerability&quot; and successfully create a media &quot;splash&quot;, and assuming Facebook security team is on top of their game, this would get patched in a week tops. Keeping an eye on average number of requests coming to their API end points, especially sensitive ones, is part of their job, not a nice-to-have. I&#x27;d even think this would actually get patched within 24 hours (since the fix isn&#x27;t really that difficult). I have absolutely no care or sympathy for Facebook but yeah, 15K is a lot for something like this. It&#x27;s a nice catch, that&#x27;s all.

Good on Facebook for being so quick to reward Anand and fix the issue.

I would love to know if someone has exploited this bug - should be fairly easy to learn that from logs (this attack is far from stealthy). I guess FB will never tell. :)

Anyone else have trouble with that webpage? It froze my browser (Chrome).

Hacker News: Where comments can be six paragraphs long and say absolutely nothing.

Surprised that the well-paid developers at Facebook missed this vulnerability. Should inspire confidence on anyone who didn&#x27;t get a job there. :-)