A security researcher has released a tool that allows hackers to hijack accounts on sites that use Facebook logins.
The tool is called Reconnect, and was developed by Egor Homakov, a researcher with security auditing firm Sakurity. Reconnect works by exploiting cross-site request forgery (CSRF) issues impacting Facebook Login, which enables users to log-in to third-party websites via their Facebook accounts.
Essentially, the attack works by creating a link that when clicked on logs the victim out of their legitimate account and into a Facebook account under the control of the attacker. The attack connects the Facebook account of the attacker to the victim account on the third-party site, allowing the attacker to log into that account directly and change information such as email addresses, passwords and so on.
“RECONNECT is a ready to use tool to hijack accounts on websites with Facebook Login, for example Booking.com, Bit.ly, About.me, Stumbleupon, Angel.co, Mashable.com, Vimeo and many others,” blogged Homakov. “Feel free to copy and modify its source code. Facebook refused to fix this issue one year ago, unfortunately it’s time to take it to the next level and give blackhats this simple tool.
“This bug abuses triple-CSRFs at once: CSRF on logout, CSRF on login and CSRF on account connection,” he wrote. “#1 and #2 can be fixed by Facebook, #3 must be fixed by website owners. But in theory all of these features must be protected from CSRF.”
Facebook has provided guidance to developers that can help with the situation, and decided not to fix the issue after balancing flexibility for developers with concerns about security. Instead, Facebook tried to make it more difficult to exploit.
A Facebook spokesperson told SecurityWeek that site developers using Login can prevent this issue by following the social network’s best practices and using the ‘state’ parameter we provide for OAuth Login.
“We’ve also implemented several changes to help prevent login CSRF and are evaluating others while aiming to preserve necessary functionality for a large number of sites that rely upon Facebook Login,” the spokesperson noted.
“This is indeed a very big issue as many popular websites use Facebook’s delegated identification, so a widespread exploit could wreak a lot of havoc,” said Branden Spikes, CEO of Spikes Security.
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- In Other News: New Analysis of Snowden Files, Yubico Goes Public, Election Hacking
- China’s Offensive Cyber Operations in Africa Support Soft Power Efforts
- Air Canada Says Employee Information Accessed in Cyberattack
- BIND Updates Patch Two High-Severity DoS Vulnerabilities
- Faster Patching Pace Validates CISA’s KEV Catalog Initiative
- SANS Survey Shows Drop in 2023 ICS/OT Security Budgets
- Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones
- New ‘Sandman’ APT Group Hitting Telcos With Rare LuaJIT Malware
