VPN Articles and News

New Tool Allows Hackers To Hijack Accounts On Sites That Use Facebook Login

By Paul Liu
Wednesday, June 17th, 2015

If you use your Facebook login credentials to log into other websites then you need to read this article very carefully. There is now a new hacking tool available on the internet which allows hackers to hijack accounts on third party websites that permit login via Facebook. The tool was released by Egor Homakov, who works as a security researcher for the security firm Sakurity, and it relies on the cross-site request forgery (CSRF) vulnerability that affects interaction between a website and its trusted partners.

Egor decided to disclose information about the vulnerability on his blog as well as release the tool, also dubbed as Reconnect; on the internet after the social networking giant failed to address the issue even one year after becoming aware it. Facebook decided not to fix the vulnerability since the move risked breaking the connections between its site and scores of other portals which allowed their users to login by using the social site’s credentials. Egor said that since Facebook is sitting on the issue, he has decided to release the information to the general public and the blackhat community.

The Reconnect tool works by generating malicious URLs which have the power of hijacking user accounts on portals which permit their users to login via Facebook. As per the step-by-step guide published by Egor, the tool works just like a phishing attack and required the users to click on a malicious link in order to work correctly. Once a user clicks on the fake URL set up by the criminals, he gets logged out of his own Facebook account and starts using the fake account set up by the attackers. In the process, real user accounts on these portals get linked with fake Facebook accounts set up by the hackers.

As per additional details supplied by Egor, the vulnerability exploits CSRF at three levels: login, logout and connection. He also said that while the login and logout issues could be handled by Facebook, the connection issue needed to be fixed by the individual website owners. The scary part is that the flaw allowed the attackers to gain total control over user accounts on Facebook’s partner websites allowing them to read private messages, change passwords and perform many types of rogue actions.

Egor also disclosed that the flaw affected a large number of websites including big sites like Mashable, Vimeo, Booking.com, Stumbleupon and Bit.ly. In addition, hackers could hijack accounts on other websites by manually inputting the corresponding Facebook login links into the Reconnect tool.

Security researchers working for other firms have validated Egor’s claims and addressed the Reconnect tool as a real threat that could affect thousands of users. However, some security firms have questioned the claims that Facebook refused to patch such a huge flaw. While responding to the issue, a Facebook spokesman said that the tool represents a well-understood behavior and site owners can ensure the integrity of user accounts by following the best practices supplied by the company. The social site added that it has unveiled many changes to prevent the abuse of login CSRF plus it was also exploring other options to preserve the functionality of sites that permitted login via Facebook.