Last month, a security researcher named Anand Prakash stumbled on a major flaw in Facebook’s account security. When an account is reset, Facebook sends a 6-digit PIN to the user’s phone, using that PIN as a temporary password while the account is reset. But while Facebook normally cuts you off after ten or twelve bad guesses, Prakash noticed those protections were missing on beta.facebook.com, where developers often deploy new features that aren’t ready for facebook.com. But since every Facebook account is also available on beta.facebook.com, the resulting bug let him flood the page with PIN guesses, effectively letting him break into any account he wanted.
The bug was the result of a change deployed to the beta page a few days earlier, and doesn’t seem to have been widely exploited before it was discovered by Prakash. Still, it’s a serious security problem, and exactly the type of attack that bug bounties are meant to solve. Prakash sent in the bug through Facebook’s report vulnerability page, and the next day, the company confirmed that it had been fixed. Eight days after that, Facebook awarded him $15,000 for reporting the issue.