Security Experts:

Connect with us

Hi, what are you looking for?



Facebook Login Flaw Earns Researcher $5,000

A researcher received a $5,000 reward from Facebook after finding a vulnerability that could have been exploited to impersonate users on other websites.

A researcher received a $5,000 reward from Facebook after finding a vulnerability that could have been exploited to impersonate users on other websites.

Facebook allows developers to use Facebook Login as the login system for their applications and websites. When a user signs up for an app via Facebook Login, an account is created for them and Facebook handles authentication.

Bitdefender vulnerability researcher Ionut Cernica discovered that the Facebook Login feature could have been abused to impersonate users on websites where they had previously registered an account.

For the attack to work, the attacker needed to identify an email account used by the targeted individual to sign up on a website that allows social logins. However, the condition was that the targeted email address had not been used to register a Facebook account.

As Cernica demonstrated, the attacker could have created a Facebook account with the victim’s email address, and then swap that email address with one they controlled in the Facebook settings panel. The attacker could have used their own address for the email confirmation process and then switch them back to make the victim’s address the primary email again.

Switching email accounts in Facebook

Using the Facebook account that had the targeted user’s address set as the primary email, the attacker could have used the social login feature to sign in to the account where the victim had used that email address.

“This is a serious vulnerability – it allows attackers to login on most websites that feature Facebook Login,” Cernica said. “This means an attacker can make payments on the user’s behalf on an e-commerce site, for instance.”

The issue was reported to Facebook on March 31 and the social media company informed the researcher that the vulnerability had been patched on April 14.

While Bitdefender has classified the issue as a serious vulnerability, Facebook believes the risk was low considering that the bug was not easy to exploit on a large scale. Furthermore, Facebook noted that an attack required the creation of a fake account, which its systems can quickly detect and remove.

Bitdefender noted that it’s often not difficult to find a user’s email addresses, but Facebook pointed out that it might not be easy to determine which address has been used for a certain online service.

“This bug was difficult to exploit at a large scale and didn’t involve compromising Facebook accounts or company networks. However, we appreciate Ionut’s coordination with our bug bounty team to quickly resolve this issue,” a Facebook spokesperson told SecurityWeek.

Although it assigned the flaw a “low risk” exploitability rating, Facebook awarded the researcher $5,000 based on the potential risk.

The company’s guide on using the Facebook Login system includes recommendations for developers on how to safely merge accounts on a website or app if someone attempts to use Facebook Login with a different email address.

Related: Researcher Finds Malicious Web Shell on Facebook Server

Related: Facebook Password Reset Flaw Earns Researcher $15,000

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.