This hacker hacked Facebook with XSS script and got $20000 from them


Hacker used a vulnerability in Facebook Login SDK for JavaScript to mount Cross-Site Scripting (XSS) attack on domain, got $20,000 (Rs.15.00 lakhs)

An Indian hacker named Vinoth Kumar was able to hack into Facebook using a vulnerability in the Facebook Login SDK for JavaScript. He used a Cross-Site Scripting (XSS) attack to successfully mount a hack on the domain.

Vinoth Kumar works with the HackerOne guys and is mostly into finding open dashboards and credentials. This one time he decided to venture into something different. “I think DOM XSS through postMessage is an underrated vulnerability and mostly unnoticed by a lot of bug bounty hunters,” he says in his blogpost.

Vinoth says he started looking for XSSI, JSONP & postMessage vulnerabilities but quicky dropped XSSI & JSONP from his list. Both the vulnerabilities are as good as dead after the SameSite cookie was introduced2. So he dug deep to find postMessage vulnerabilities as these are mostly ignored by security researchers but are very easy to debug.

Vinoth visited looking for postMessage vulnerabilities. Normally a website uses an iframe communication on widgets, plugins, or web SDKs. Vinoth started poking around with the Facebook third-party plugins for vulnerabilities. This is when he noticed that the Facebook Login SDK for JavaScript creates a proxy iframe v6.0/plugins/login_button.php for cross-domain communication. In the iframe, Facebook renders the Continue with Facebook button.

Vinoth found it interesting that the javascript SDK sends an initial payload to the proxy frame which contains the button’s click URL.  When the SDK communicates with Facebook plugin iframe the URL param is sunk to an i variable and when the button click event triggers the below function is getting executed.

Vinoth immediately knew that he could exploit this feature with a Cross-Site Scripting (XSS) payload. He found that‘javascript:alert(document.domain)’) DOM XSS could be exploited and there’s no URL/schema validation in the javascript. He found that if he sent an XSS payload with the following command:


to iframe and if the user click’s the Continue With Facebook button the javascript: alert(document.domain) would be executed on the domain.

Exploiting the Iframe to hack

There are two ways to exploit this issue.

  • By opening a pop-up window and communicating with it

  • Opening an iframe and communicating with it

He has already listed the PoC on his blogpost. As this endpoint intentionally missing the ‘X-Frame-Options’ or the CSP ‘frame-ancestors’ header, this page could easily be embedded into the attacker’s page.


Facebook fixed this by adding the regex domain and schema check in the payload URL param.

d = b(“isFacebookURI”)(new (g || (g = b(“URI”)))(,
j =;
d || (j.url = b(“XOAuthErrorController”).getURIBuilder().setEnum(“error_code”, “PLATFORM

Proof of Concept video

Vinoth says that someone visiting an attacker-controlled website and clicks login with the Facebook button would trigger XSS on the domain on behalf of the user who has already logged into Facebook. Once the conditions are met, this would mean a 1-click account takeover of

Vinoth then approached the Facebook security team which acknowledged the vulnerability and awarded him $20,000 as a bug bounty for finding the flaw.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments