Facebook Rewards $20,000 for Vulnerability Discovery
If you find a big security flaw in Facebook, it will give you a big reward — $20,000, to be exact. One security expert found a vulnerability that allowed a remote hacker to take over a user's profile with no input from the user whatsoever.
Jack Whitten, a UK-based security researcher who runs a blog called fin1ite, discovered the flaw about a month ago. The issue affected users who link their cell phones with their Facebook accounts. These users can use short message service (SMS) to log into Facebook with their phone numbers and receive Facebook updates via text message.
The hack is complicated, although any sufficiently Web-savvy malefactor could pull it off. Each Facebook SMS user has a unique profile code. By changing his profile number to that of his target, a hacker could text Facebook for a confirmation code for his target's account.
From here, the hacker could access the source code for Facebook's login page and fool the system with the confirmation code. Facebook would then request a password. However, because the login page now confused the hacker and his target, the hacker could enter his own password. From there, the hacker could request a password reset via SMS and gain complete access to a target's page.
Afterwards, any information a user stores on Facebook would belong to the hacker. This is problematic from an identity theft perspective (as many users have their real names, addresses and phone numbers on Facebook), but it also grants hackers an easy avenue to spread links to infected sites. Users are more likely to open links from trusted friends. Combined with malware that hijacks Facebook pages, dozens or hundreds of users could fall quickly. [See also: The Top 10 Threats to Your Smartphone]
It took Facebook five days to fix the issue, and it awarded Whitten $20,000 for his efforts. This is the largest reward that Facebook has ever given for a security flaw, which should give some indication of its potential danger.
Although this issue has been fixed, Facebook likely has other vulnerabilities just waiting to be discovered — some potentially as harmful as this one. Facebook may have to dish out thousands more dollars in reward money, but that's infinitely preferable to facing angry users after they've been hacked.