Security firm releases tool that can hijack sites using Facebook Login

Penetration testing company Sakurity releases Reconnect which exploits Facebook Login vulnerability and allows hackers to take over sites using it.

Pentesting company Sakurity has released new tool allows hackers to generate URLs that can hijack accounts on sites that use Facebook Login. Blaming Facebook for dismal security in its Login options, Sakurity said that they had released the tool to test websites like Booking.com, Bit.ly, About.me, Stumbleupon, Angel.co, Mashable.com, Vimeo and many others.

The tool, dubbed Reconnect, was released last week by Egor Homakov, a researcher with Sakurity and it takes advantage of a cross-site request forgery (CSRF) issue in Facebook Login.

Many websites including eCommerce websites use Facebook login as a authorisation token for logging into their websites and this could allow potential hackers to hijack such web accounts with ease. It also opens doors for phishing attacks.

Homakov said that he had publicly disclosed the vulnerability on in blogpost on 26th January, 2014. He noted that Facebook had declined to fix it because doing so would have broken compatibility with a large number of sites that used the service.

Every website with “Connect Facebook account and log in with it” is vulnerable to account hijacking. Every website relying on signed_request (for example official JS SDK) is vulnerable to account takeover, as soon as an attacker finds a 302 redirect to other domain. I don’t think these will be fixed, as I’ve heard from the Facebook team that it will break compatibility. I really wish they would fix it though as you can see below, I feel these are serious issues,” noted Homakov on his blog then.

While releasing the tool, Homakov wrote on a blogpost last Thursday that, since Facebook refused to fix year old issue, he is giving the blackhats a go at the vulnerability with Reconnect.

The tool abuses triple-CSRFs (Cross-Site Request Forgery) vulnerability present in the Facebook login. When potential victims are tricked into clicking on the urls, they are logged out of their own Facebook accounts and into cloned accounts on the social network that have been set up by the attackers. While at the same time, the victims accounts on websites that use Facebook login get linked to these clone accounts.

This can give potential hacker control over the victims’ accounts on those third-party sites, allowing them to change passwords, read private messages and perform other rogue actions using the hijacked accounts, Homakov said.

Homakov has given a step by step tutorial about how to  use Reconnect to navigate around Facebook’s JavaScript and existing login intelligence using a special redirect command. This will drive ‘victims’ to a specified location where they are in fact logged into the Sakurity Facebook account. From here, the account using the Facebook login belongs to Sakurity.

Reconnect can also generate malicious URLs to hijack accounts on Booking.com, Bit.ly, About.me, Stumbleupon, Angel.co, Mashable and Vimeo. However, many more sites that support Facebook Login can be targeted by manually inputting into the tool the links that trigger Facebook login requests on behalf of their users.

Facebook says that it had made it harder for the hackers to exploit the vulnerability without affecting the functionality of the OAuth token. It has also said that sites using the Facebook login authorisation token can prevent exploitation by following their best practices and using the ‘state’ parameter Facebook provides for OAuth Login.”

2 COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Read More

Suggested Post