A security researcher has released a tool that allows hackers to hijack accounts on sites that use Facebook logins.
The tool is called Reconnect, and was developed by Egor Homakov, a researcher with security auditing firm Sakurity. Reconnect works by exploiting cross-site request forgery (CSRF) issues impacting Facebook Login, which enables users to log-in to third-party websites via their Facebook accounts.
Essentially, the attack works by creating a link that when clicked on logs the victim out of their legitimate account and into a Facebook account under the control of the attacker. The attack connects the Facebook account of the attacker to the victim account on the third-party site, allowing the attacker to log into that account directly and change information such as email addresses, passwords and so on.
“RECONNECT is a ready to use tool to hijack accounts on websites with Facebook Login, for example Booking.com, Bit.ly, About.me, Stumbleupon, Angel.co, Mashable.com, Vimeo and many others,” blogged Homakov. “Feel free to copy and modify its source code. Facebook refused to fix this issue one year ago, unfortunately it’s time to take it to the next level and give blackhats this simple tool.
“This bug abuses triple-CSRFs at once: CSRF on logout, CSRF on login and CSRF on account connection,” he wrote. “#1 and #2 can be fixed by Facebook, #3 must be fixed by website owners. But in theory all of these features must be protected from CSRF.”
Facebook has provided guidance to developers that can help with the situation, and decided not to fix the issue after balancing flexibility for developers with concerns about security. Instead, Facebook tried to make it more difficult to exploit.
A Facebook spokesperson told SecurityWeek that site developers using Login can prevent this issue by following the social network’s best practices and using the ‘state’ parameter we provide for OAuth Login.
“We’ve also implemented several changes to help prevent login CSRF and are evaluating others while aiming to preserve necessary functionality for a large number of sites that rely upon Facebook Login,” the spokesperson noted.
“This is indeed a very big issue as many popular websites use Facebook’s delegated identification, so a widespread exploit could wreak a lot of havoc,” said Branden Spikes, CEO of Spikes Security.