Security News > 2020 > May > Facebook Awards Researcher $20,000 for Account Hijacking Vulnerability
Security researcher Vinoth Kumar says Facebook awarded him $20,000 after he discovered and reported a Document Object Model-based cross-site scripting vulnerability that could have been exploited to hijack accounts.
The researcher says he discovered the vulnerability in the window.
The process of identifying the vulnerability, the researcher says, began with the Facebook Login SDK for JavaScript, which creates a proxy iframe v6.0/plugins/login button.
The researcher identified two manners in which the vulnerability could be exploited, one involving opening a pop-up window and then communicating with it, and the other relying on opening an iframe and communicating with it.
The social media platform addressed the vulnerability three days later by "Adding facebook.com regex domain and schema check in the payload url param." The company awarded the researcher a $20,000 bug bounty two weeks later.