Facebook gives $20K for discovering security flaw

facebook phone event

Facebook has rewarded a British man with $20,000 (£13,000) after he found a bug which could have been exploited to hack into the social network giants user accounts.

Jack Whitton, a security researcher,discovered a flaw in the social network’s text messaging system, used to log in and reset passwords. Facebook today thanked Mr Whitton, 22, who is part of the site’s “responsible disclosure” hall of fame.

The company, like many on the internet, encourages peoples to report bugs to them rather than cybercriminals. In return for their kindheartedness, companies usually offer varying amounts of awards, dependent upon the severity of the flaw found.

Such schemes are known as “bug bounties”, with similar schemes being run by companies such as Microsoft, Paypal and Google.

“Facebook’s White Hat programme is designed to catch and eradicate bugs before they cause problems,” Facebook told the BBC. “Once again, the system worked and we thank Jack for his contribution.”

The bug, which has now been fixed, allowed Mr Whitton to spoof Facebook’s text message verification system into sending a password reset code for an account that was not his. Using this, he could go onto Facebook, reset a user’s password, and then access the account.

Mr Whitton is what is known as a “white hat” hacker – someone who can discover security holes and faults in software, but chooses not to use them for criminal gain.

The Facebook bug would have been of great interest to cybercriminals, noted Graham Cluley, a security expert.

“It could have been worth an awful lot more money,” he told the BBC.

“Imagine if he were a black hat hacker, one of the bad guys, if he were to offer his services to criminals saying any account they wanted breaking in to, he could do it.”

He said Facebook should be “extremely grateful” that Mr Whitton opted to report it to them.

“It could have been a PR disaster,” he told the BBC.

“This security flaw is terrible. It should never have existed. It’s a gaping hole, thank goodness it’s closed now. We are really relying on the goodwill of researchers.”

Last Updated on