Facebook has awarded a security researcher $20,000 for discovering a cross-site scripting (XSS) vulnerability in the Facebook Login SDK, which is used by developers to add a “Continue with Facebook” button to a page as an authentication method. Exploitation could allow threat actors to hijack accounts.
Security researcher Vinoth Kumar identified a Document Object Model-based (DOM) XSS flaw in the window.postMessage() method of the platform’s code. This method is supposed to enable secure cross-origin communication between Windows objects.
Read more…
Source: ThreatPost