Egor Homakov, a security researcher of penetration testing company “Sakurity”, has discovered a vulnerability that allows malicious hackers take over Facebook accounts on websites that use the ‘Login with Facebook’ feature.
The flaw doesn’t allow hackers access to the Facebook’s password, but it does allow them to access your accounts using a Facebook application developed by third-party websites.
RECONNECT is a ready to use tool to hijack accounts on websites with Facebook Login, for example Booking.com, Bit.ly, About.me, Stumbleupon, Angel.co, Mashable.com, Vimeo and many others. Feel free to copy and modify its source code. Facebook refused to fix this issue one year ago, unfortunately it’s time to take it to the next level and give blackhats this simple tool.
What is Cross-Site Request Forgery (CSRF)?
Can help us RedTeam Security Consulting:
A cross-site request forgery attack is a type of malicious attack that forces an end-user to execute an unwanted action, without his/her knowledge on behalf of the attacker, within a web application in which the end-user is currently authenticated. In essence, the end-user (victim) is often tricked into clicking on a link, perhaps inside an email sent from the attacker posing as another party, that will perform a function within the website where the end-user is already authenticated. CSRF attacks generally target functions within websites that are considered “high value,” such as areas of websites that allow users to change passwords, transfer money, change an email address or purchase something.
How to protect yourself?
Quoting an article by TheHackersNews.com:
One could realize the dangerous consequences of RECONNECT Facebook hacking tool by calculating how many number of websites over Internet use that blue color ‘ f ‘ button of Facebook login. And once a hacker makes a way to get into you account, they could access your private information and use them to hack into your other online accounts. So, in order to prevent your accounts from malicious hackers, Do Not click on any suspicious URLs provided to you via online messages, emails or social media accounts. And always be careful while surfing over the Internet.
- OpenSSL Security Advisory, 3rd May 2016: Patch, Patch ASAP!
- Tor in a company network: how to detect and block it?
- Mazar BOT campaign in Denmark and Italy
- BadLock: let's take stock of situation!
- The Panama Papers Leak – What You Need To Know
- Frederike Kaltheuner @ #IJF16: understanding predictive privacy harms