Facebook pays $15,000 to researcher for finding a bug

[leonard_sun]

This story is originally from Verge.com:

http://www.theverge.com/2016/3/8/11179926/facebook-account-security-flaw-bug-bounty-payout

 

This could have been a big security risk.

 

Quote

Prakash noticed those protections were missing on beta.facebook.com, where developers often deploy new features that aren't ready for facebook.com. But since every Facebook account is also available on beta.facebook.com, the resulting bug let him flood the page with PIN guesses, effectively letting him break into any account he wanted.

It boggles the mind why Facebook would mirror live accounts on their beta page. It should have been only for those who opt-in for the beta. But in anycase, it was good this was reported before some nafarius people could use the technique.

 

Kudos to Facebook for taking bug bounty very seriously. Apparenly they've awarded over $4m already. Damn...

[R4z0r244]

Many thanks to the guy who found the bug, however Facebook's concern for privacy and security is laughable.

[GeekJump]

Wow they actually paid out??? Didn't they refuse to pay the last guy who found a bug? Well in that case I think he actually demonstrated before revealing lol

 

$15K sounds low for something potentially lawsuit worthy, but good on that guy. 

[SonicX278]

They should talk about this on the WAN show.