Facebook Paid Security Researcher Jack Whitton $20,000 For Discovering A Major Bug

Posted Jul 1, 2013

Facebook has paid a United Kingdom based security researcher named Jack Whitton $20,000 because he discovered how to hack into another person’s Facebook account without their knowledge.  This was achieved by simply sending a text message to Facebook and playing around with some source code, according to the BBC.

The security flaw has been fixed.  It was in a Facebook service that allowed users to connect their mobile phones with their accounts.  The flaw allowed users to log into Facebook with their phone number instead of their e-mail address and send profile updates through text messages.

In order to activate the feature, a user would send a text message to Facebook.  Facebook would send a text message back with an authorization code.  This code is tied the user’s device with their account.  Whitton found out that he could change around authorization code so that it can be used on other user accounts also.

A hacker would have been able to change the password and gain control of the account, said Whitton in a blog post.  The flaw was in the “/ajax/settings/mobile/confirm_phone.php end-point” file.

Whitton told Facebook about the flaw on May 23rd and the company fixed it five days later.  Facebook acknowledged Whitton on their White Hat list of helpers and paid him the $20,000 reward.

Facebook has been dealing with all sorts of attacks as of late.  Facebook subsidiary Instagram was hit with a spam attack that would display fruit pictures with a malicious link attached this past week.  Facebook also had an issue where the contact information for around 6 million users were shared.