Facebook’s
bug bounty program has yielded a hefty paycheck to a researcher from India who
discovered a serious security flaw in the platform.
In December, last year, Amol Baikar was tinkering with the “Login with Facebook” feature when he discovered that he could hijack the OAuth flow and steal a user’s access tokens.
All an attacker had to do was to send the victim a malicious link, which the unwary recipient would (theoretically) click. With the access tokens in hand, the attacker would be able to take over the user’s account.
Facebook
acknowledged the issue within a few hours of Baikar submitting the bug report.
On December 16, the social network silently pushed out a fix.
“I’m very
glad that I’m part of this responsible disclosure to Facebook and joyous to
achieve my goal successfully,” the researcher wrote on his blog.
“We’ve fixed
the issue and haven’t seen any evidence of abuse,” Facebook told SecurityWeek.
“We’re grateful for this researcher’s help to keep our platform safe.”