A researcher has earned 55,000 dollars from Facebook to report that hackers could have used a serious vulnerability to steal access toks and hijack accounts.
India-based researcher Amol Baikar noticed in December that a bug has affected the “Login on Facebook,” which enables users to log on to other websites through their Facebook account.
Baikar found that an attacker could hijack the OAuth flow— the feature uses the protocol of authorization OAuth 2.0 — and rob a user of access tokens for OAuth flow applications such as Instagram and Oculus. In order to attack, a hacker had to convince the targeted user to visit a malicious website.
On December 16, Facebook was told of the vulnerability and within a week a patch was issued. The researcher nevertheless found a way to circumvent the patch and a more efficient solution was implemented in mid-January.
Baikar said that for his initial report and patch bypass he received $55,000 from Facebook. The researcher said this is the greatest reward received by the social media giant for a consumer weakness.
“We fixed the problem and saw no evidence of abuse,” Facebook told. The company said that the flaw was introduced in May 2019 and was corrected in January by amending the OAuth flow limitation and a code fix designed to prevent communication with untrusted websites. “We are grateful for the help of this researcher in maintaining the safety of our platform.”
Last year, Facebook paid a total of around $2.2 million through its bug bounty program, which has reached almost $10 million since its 2011 program launch.