"Signup or Login with Facebook" ?? You might think twice before doing that next time. A security researcher has discovered a critical flaw that allows hackers take over Facebook accounts on websites that leverage 'Login with Facebook' feature.
The vulnerability doesn't grant hackers access to your actual Facebook password, but it does allow them to access your accounts using Facebook application developed by third-party websites such as Bit.ly, Mashable, Vimeo, About.me, Stumbleupon, Angel.co and possibly many more.
FLAW EXPLOITS THREE CSRFs PROTECTION
Egor Homakov, a researcher with pentesting company Sakurity, made the social network giant aware of the bug a year ago, but the company refused to fix the vulnerability because doing so would have ruined compatibility of Facebook with a vast number of websites over the Internet.
The critical flaw abuses the lack of CSRF (Cross-Site Request Forgery) protection for three different processes —
- Facebook log in
- Facebook log out
- Third-party account connection
The first two issues "can be fixed by Facebook," Homakov said, but have not done yet. However, the third one needs to be fixed by the website owners those who have integrate "Login with Facebook" feature into their websites.
TOOL TO HACK FACEBOOK ACCOUNTS
Therefore, blaming Facebook for dismal security in 'Login with Facebook' feature, the researcher publicly released a tool, dubbed RECONNECT, that exploits the bug and lets hackers to generate URLs that can be used to hijack accounts on third-party websites that use 'Login with Facebook' button.
"Go blackhats, don’t be shy!" Homakov wrote on his Twitter, allegedly encouraging hackers and cyber criminals to take benefit from his ready to use tool.
Homakov also published a blog post
which gives hackers a step-by-step process for setting up rogue Facebook accounts that victims are redirected to when they tricked into clicking on malicious URLs provided by the attackers.
"Now our Facebook account is connected to the victim account on that website and we can log in that account directly to change email/password, cancel bookings, read private messages and so on," Homakov wrote in a blog post.
RECONNECT Facebook hacking tool can generate malicious URLs to hijack Facebook accounts on third-party website including Booking.com, Bit.ly, About.me, Stumbleupon, Angel.co, Mashable and Vimeo.
However, any website that supports 'Login with Facebook' can be hacked by manually inserting its link into the tool that generates Facebook login requests on behalf of its users.
HOW TO PROTECT YOURSELF ?
One could realize the dangerous consequences of RECONNECT Facebook hacking tool by calculating how many number of websites over Internet use that blue color ' f ' button of Facebook login. And once a hacker makes a way to get into you account, they could access your private information and use them to hack into your other online accounts.
So, in order to prevent your accounts from malicious hackers, Do Not click on any suspicious URLs provided to you via online messages, emails or social media accounts. And always be careful while surfing over the Internet.
FACEBOOK RESPONDS TO THE ISSUE
Facebook says it has been aware of the issue for some time now and that third-party sites can protect their users by utilizing Facebook's best practices when using the Facebook sign-in feature.
A Facebook spokesperson released a statement saying, "This is a well-understood behaviour. Site developers using Login can prevent this issue by following our best practices and using the 'state' parameter we provide for OAuth Login."
The company also added that they have also made various changes in order to help prevent login CSRF and are evaluating others while "aiming to preserve necessary functionality for a large number of sites that rely upon Facebook Login."