A cross-site scripting (XSS) vulnerability that affected the ‘Login with Facebook’ button has earned a security researcher $20,000.
Vinoth Kumar discovered the DOM-based XSS vulnerability in technology that gives third-party websites the option to authenticate visitors through the Facebook platform.
The security issue arose because of a flawed implementation of the postMessage API.
The window.postMessage() method enables cross-origin communication between Window objects, for example between a web page and an iframe embedded within.
Kumar described the technology is an underexplored avenue for security bug hunters, hence his decision to look into Facebook’s implementation.
Another security researcher, Enguerran Gillier, recently discovered a technically similar XSS flaw in Gmail, as recently reported by The Daily Swig.
Though this vulnerability was an XSS bug but it was not easy to exploit. it was not like inputting script tags on DVWA or bWAPP web applications. it was completely different. you can read more from HERE and see how he found and exploit this vulnerability.