It was just another day at the office for security researcher, Jack Whitton when he discovered a bug that could have been used to hack into user’s Facebook accounts.
Twenty-two year old Whitton, who is based in the UK took it upon himself to make the social network aware of the dangerous loop hole and his charitable revelations subsequently landed him $20,000 (£13,000) and got him inducted into the site’s “responsible disclosure” Hall of Fame, according to the BBC. This is not the first time that Facebook has splashed out on ‘bug bounty’ payments. The network has always encouraged user feedback and the reporting of cyber criminals but payouts as big as this are rare. The bug that Whitton discovered tricks the text message verification system into sending a password reset code for an account (whether it’s your’s or not), therefore gaining the hacker access to any account once they reset the password as desired.
Whitton is not new to the ‘white hat’ world, having gained some fame in security communities for previous hacks he’s uncovered. Whitton is also not naive to the fact that the $20,000 he received, although a pretty penny, should have been much more. Had he been one of the bad guys, this hack, which security expert Graham Cluley, described as a ‘gaping hole’ and a potential ‘PR disaster’, could have cost Facebook countless users and uncovered sensitive information belonging to their users and the network.
It looks like Facebook may have gotten off easy. According to Cluley – “This security flaw is terrible. It should never have existed. It’s a gaping hole, thank goodness it’s closed now. We are really relying on the goodwill of researchers.”