The tool, dubbed Reconnect, was released last week by Egor Homakov, a researcher with Sakurity and it takes advantage of a cross-site request forgery (CSRF) issue in Facebook Login. Many websites including eCommerce websites use Facebook login as a authorisation token for logging into their websites and this could allow potential hackers to hijack such web accounts with ease. It also opens doors for phishing attacks. Homakov said that he had publicly disclosed the vulnerability on in blogpost on 26th January, 2014. He noted that Facebook had declined to fix it because doing so would have broken compatibility with a large number of sites that used the service. While releasing the tool, Homakov wrote on a blogpost last Thursday that, since Facebook refused to fix year old issue, he is giving the blackhats a go at the vulnerability with Reconnect. The tool abuses triple-CSRFs (Cross-Site Request Forgery) vulnerability present in the Facebook login. When potential victims are tricked into clicking on the urls, they are logged out of their own Facebook accounts and into cloned accounts on the social network that have been set up by the attackers. While at the same time, the victims accounts on websites that use Facebook login get linked to these clone accounts. This can give potential hacker control over the victims’ accounts on those third-party sites, allowing them to change passwords, read private messages and perform other rogue actions using the hijacked accounts, Homakov said. Homakov has given a step by step tutorial about how to use Reconnect to navigate around Facebook’s JavaScript and existing login intelligence using a special redirect command. This will drive ‘victims’ to a specified location where they are in fact logged into the Sakurity Facebook account. From here, the account using the Facebook login belongs to Sakurity. Reconnect can also generate malicious URLs to hijack accounts on Booking.com, Bit.ly, About.me, Stumbleupon, Angel.co, Mashable and Vimeo. However, many more sites that support Facebook Login can be targeted by manually inputting into the tool the links that trigger Facebook login requests on behalf of their users. Facebook says that it had made it harder for the hackers to exploit the vulnerability without affecting the functionality of the OAuth token. It has also said that sites using the Facebook login authorisation token can prevent exploitation by following their best practices and using the ‘state’ parameter Facebook provides for OAuth Login.”
