Facebook has recently awarded a british security researcher amount of $20,000 for discovering a bug which will lead to a full takeover of any Facebook account, with no user interaction. Facebook has now acknowledged and responded to this bug and fixed the flaw within a day.
Its actually SMS feature provided by Facebook to receive updates via SMS. This feature gives users the option of linking mobile number with FB account and also allows login using the mobile number rather the usual email address. Jack Whitton aged 22, a UK based Security Researcher found this serious loophole and the award of $22,000 tells the severity of the bug.
Facebook also listed Jack in its Hall of Fame, for finding this bug, anyone who find any security loophole can report facebook for fix and who knows might get awarded for same. Facebook runs this White Hat program to collaborate with external security researchers and help Facebook to ensure that highest security standards are being maintained for users.
Jack explained the bug in his blog, to exploit this bug, he first send the letter F to 32665, which is Facebook’s SMS short-code in the UK and received an 8 character verification code back, entered this code into the activation box modified the HTML values inside source code of ‘Facebook Mobile’ activation page, submit it to get user data via ajax (from facebook only), reset the user password to finally hack the account.
Facebook encouraged security researchers or even ‘white-hat’ hackers to report security flaws, bugs to Facebook Security team and get awarded provided you are the first one to report, rather than booking it as cyber-crime. The minimum award is $500 USD and no-maximum and as per facebook – depends on its severity and creativity.
According to Facebook – “..visit the Facebook Security Page for assistance. If you believe you have found a security vulnerability on Facebook, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem.”
This is something that is missing out in philosophy of Internet giants in India,recently this month only India’s biggest gaming website’s Zapak.com has been hacked. Although, no company can ensure 100% prevention of bugs but like Facebook, can minimize the risks of loss of information and hacks.
The incidences are common across the globe however, but the encouragement toward reporting incidence is not uniform across the globe, the same is not for just monetary awards and bounty but it act as a competitive behaviour in core-programmers/developers of apps and more carefulness. This also bring out sense of working out of the fences within core-programmers and part-time work opportunity for freelance programmers & collaboration with security researchers.
Facebook knows that what its employees can do is good but what extra it can get outside facebook office boundaries is vast and outside talents will do no harm but will give an extra edge to be stronger, this something to be learned from young company like Facebook.