Because Facebook refuses to correct a flaw that he discovered in January 2014, a researcher has published Reconnect, a tool to hack the accounts of this social network from Facebook Login enabled sites.
Revenge is always a dish best served cold. The security researcher Egor Homakov the security company Sakurity delivered last week Reconnect, a tool to hack Facebook accounts from Facebook Login enabled sites. Reconnect operates a Cross-site request forgery vulnerability (CSRF) identified in Facebook Login, a service that allows users to connect to third-party sites using their Facebook account.
The researcher decided to disclose the flaw on his personal blog in January 2014, Facebook has refused to correct the grounds that the patch would have ended compatibility with a large number of sites using this service. "Facebook has refused to solve this problem a year ago, and time has unfortunately come to move to the next level and deliver this tool to the hacker community," said Egor Homakov Thursday on his blog.
Reconnect generate URL linking Facebook Login with fake Facebook accounts. This diversion could potentially be used to conduct mass phishing campaigns. When potential victims click on the URL, they are disconnected from their own Facebook accounts and false accounts connected to the social network set up by hackers. But in the background, their websites related accounts using the Facebook Service Login remain connected to the false Facebook accounts. "This is how pirates hijack victim accounts on third party sites, and they take control. They can then change the passwords, read private messages and do a bunch of other dishonest actions, "said researcher Sakurity.
Reconnect can also generate malicious URLs
The proof-of-concept Reconnect tool can also generate malicious URLs that can hijack accounts on sites such as Booking.com, Bit.ly, About.me, Stumbleupon, Angel.co, Mashable and Vimeo. But it can target a large number of sites compatible with Facebook Login by manually typing in the tool links that trigger connection requests to Facebook on behalf of legitimate users. "In total, the attack exploits a lack of CSRF protection of three distinct processes: connection and disconnection to Facebook and third account logon" said Egor Homakov. According to him, the first two problems can be corrected by Facebook, but the third must be corrected by the sites including Facebook Login.
Facebook has tried to make the fault more difficult to exploit, in a way that does not remove the feature, and gave some advice to the website developers. "It's a situation that we understand," said the social network in a statement sent by email. "Web developers who use Facebook Login can avoid the problem by following our best practices and using the state parameter we provide for OAuth Login".
Facebook also said that the social network had "made several changes to prevent CSRF connections" and she was studying "alternatives that preserve the Facebook Login functionality implemented by a large number of sites."
Remember that the best support for this blog is to love and share our articles!
For more news, thank you for subscribe to the blog newsletter to its RSS feed. Please also have a look at Twitter, Google+ or Facebook for other news.
I founded the Blog DepoTech in January 2015. Self-taught in development, I have always pushed my curiosity about the topics,Web and Tech news.
ConversionConversion EmoticonEmoticon