For about 72 hours, Anand Prakash had the ability to get into any Facebook account he pleased.
Luckily Prakash, a hacker who lives in India, reported the scary vulnerability to Facebook directly in return for a $15,000 payout. In a blog post on Monday, he outlined how he “could have hacked all Facebook accounts.”
Here’s how he did it.
When you forget your Facebook account password, you’re able to request a reset by entering your email address or phone number on the social network’s website. A 6-digit temporary login PIN is then sent to the email address or phone number you entered to let you reset the password.
Prakash tried to keep guessing the temporary 6-digit PIN on Facebook’s website, but he was blocked after 10-12 attempts. Then he tried the same thing on Facebook’s beta site, which is used by developers to test apps on the platform.
Because you can still log into any account on beta.facebook.com, Prakash tried to guess the 6-digit PIN and discovered that there was no max attempt number set like on Facebook’s normal website. That allowed him to brute force hack the PIN by quickly entering every possible number combination on his computer.
“I tried to takeover my account (as per Facebook’s policy you should not do any harm on any other users account) and was successful in setting new password for my account,” he wrote on his blog. “I could then use the same password to login in the account.”
Prakash immediately reported his findings to Facebook and was awarded a $15,000 bounty for discovering the bug. It’s common practice for major tech companies to pay bounties like that when hackers discover critical bugs and report them to the proper people.
“One of the most valuable benefits of bug bounty programs is the ability to find problems even before they reach production,” A Facebook spokesperson told Tech Insider. “We’re happy to recognise and reward Anand for his excellent report.”