About Anand Prakash

Anand Prakash is an Indian security engineer and Bug bounty program Hunter, currently working for Flipkart.


Born and brought up in Bhadra, a small town in Rajasthan, India.

Awards and recognition

  • Worked with Cyber crime Gurgaon police to help them in solving cyber cases
  • Reported a vulnerability in Zomato.com which could have leaked data of 62.5 million users
  • 2nd position in Twitter's bug bounty list in the world (2015)
  • Reported a vulnerability in Facebook.com
  • was given the best student award by VIT University
Youtube Channel Anand Prakash :- https://www.youtube.com/watch?v=U3Of-jF1nWo
Blog Anand Prakash :- http://www.anandpraka.sh/

Anand Prakash is Indain Network Security Engineer. He is a Bug Bounty Hunter and generally participates in bug bounty programs. He is from Bhadra, Rajasthan. He earned the total of Rs 1.3 crore just by reporting bugs for Facebook, Twitter and a host of other US-based companies. He is a security intern at Flipkart. He has also helped Gurgao Police to solve Cyber cases.

Behind The Hack


As we all know human beings has a problem of forgetting things. Specially Usernames and Passwords of social sites. But luckily these site provide a option to reset to a new password, A code is sent to the provided Phone Number or Email. By providing them the code, then we are able to reset the password.

In This Case, We can change password of Facebook account by visiting this link.

https://www.facebook.com/login/identify?ctx=recover&lwv=110

Then Facebook will send 6-digit code to the Phone or Email.

Here comes the hacking part

Anand Prakash first Brute force the 6-digit code in www.facebook.com but it not worked after 10 -12 invalid attempts because Facebook has some invalid attempts limit.

#Brute Force attack :- In this, attacker systematically checks all the codes , phrases or passwords until the correct one is found.

Then he tried to Brute force on beta sites i.e  beta.facebook.com and mbasic.beta.facebook.com and was successful in doing, the interesting part was that the invalid attempts limit was missing. And he was able to set the new password and can now access the full account.

Note :- He has performed this hack with his account as per Facebook's policy you should not do any harm on any other users account.


Vulnerable request:
POST /recover/as/code/ HTTP/1.1 Host: beta.facebook.com

 lsd=AVoywo13&n=XXXXX

After the Hack

As being the bug bounty hunter he reported this vulnerability to the Facebook White-Hat page.

https://www.facebook.com/whitehat on Feb 22nd 2016.

On Feb 23rd 2016, He got the Reply that the issue was fixed.
On March 2nd 2016, He was awarded with Bounty $15,000.

#Vulnerability :- In computer security vulnerability means some loop holes or weakness of the program that can help to hack a system.


TAGS : | |