"I browsed Facebook's online search results, and in their HTML noticed that each result contained an iframe element – probably used for Facebook's own internal tracking," Masas said.
This flaw reportedly left users data exposed to cross-site request forgery.
"The thing is, iframes, unlike most web elements, are exposed in part to cross-origin documents," he said. "Combine that with the search CSRF issue and you have a real problem on your hands."
Masas said that he reported the vulnerability to Facebook and worked with the company's security team to ensure that the issue was thoroughly resolved.
Facebook has come under scrutiny in recent months after a string of data breaches, which has seen CEO and founder Mark Zuckerberg testify before congress.