A bug in Facebook let people hack into anyone’s account.
The hack allowed people to keep guessing at a users’ password until they gained access. Usually, sites like Facebook prevent people from doing so by locking accounts after a number of tries, but a bug in the way the site works allowed people to get around that.
Because of the problem, users could have set a computer programme to keep trying different passcodes until they gained access. Once in, they could have changed the password and permanently prevented access, as well as getting to credit card details and personal messages and photos.
A security researcher in India found the bug. Anand Prakash received $15,000 from Facebook as part of its bug bounty programme — though the flaw was relatively simple, the large amount of money is thought to be a result of the huge potential problems it could have caused.
The vulnerability used the way that Facebook allows people to get into their account if they have lost their password. If that happens, the site allows users to reset their login by entering a phone number or email address, to which Facebook will send a code that can be used instead of the password.
On the main Facebook site, people are prevented from entering that code too many times because the site will bring up a block. Mr Prakesh said that he tried entering random codes on the site and was usually stopped after 10 or 12 attempts.
But on Facebook’s beta site — a version that is usually used by developers — that check was missing. Mr Prakash found that he could reset his own password without ever receiving the code.