Connect with us

Hi, what are you looking for?



Tool Hijacks Accounts on Sites Using Facebook Login

A security researcher has released a tool that allows hackers to hijack accounts on sites that use Facebook logins.

A security researcher has released a tool that allows hackers to hijack accounts on sites that use Facebook logins.

The tool is called Reconnect, and was developed by Egor Homakov, a researcher with security auditing firm Sakurity. Reconnect works by exploiting cross-site request forgery (CSRF) issues impacting Facebook Login, which enables users to log-in to third-party websites via their Facebook accounts.

Essentially, the attack works by creating a link that when clicked on logs the victim out of their legitimate account and into a Facebook account under the control of the attacker. The attack connects the Facebook account of the attacker to the victim account on the third-party site, allowing the attacker to log into that account directly and change information such as email addresses, passwords and so on.

RECONNECT is a ready to use tool to hijack accounts on websites with Facebook Login, for example,,, Stumbleupon,,, Vimeo and many others,” blogged Homakov. “Feel free to copy and modify its source code. Facebook refused to fix this issue one year ago, unfortunately it’s time to take it to the next level and give blackhats this simple tool.

“This bug abuses triple-CSRFs at once: CSRF on logout, CSRF on login and CSRF on account connection,” he wrote. “#1 and #2 can be fixed by Facebook, #3 must be fixed by website owners. But in theory all of these features must be protected from CSRF.”

Facebook has provided guidance to developers that can help with the situation, and decided not to fix the issue after balancing flexibility for developers with concerns about security. Instead, Facebook tried to make it more difficult to exploit.  

A Facebook spokesperson told SecurityWeek that site developers using Login can prevent this issue by following the social network’s best practices and using the ‘state’ parameter we provide for OAuth Login.

Advertisement. Scroll to continue reading.

“We’ve also implemented several changes to help prevent login CSRF and are evaluating others while aiming to preserve necessary functionality for a large number of sites that rely upon Facebook Login,” the spokesperson noted.

“This is indeed a very big issue as many popular websites use Facebook’s delegated identification, so a widespread exploit could wreak a lot of havoc,” said Branden Spikes, CEO of Spikes Security.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.