IT security firm asks hackers to steal your Facebook log-in

Sakurity's Reconnect tool lets cyber criminals hack Facebook accounts on Mashable, Booking.com, and Vimeo

Facebook Like sign

An IT security firm has called on black hat hackers to break into user accounts on websites using Facebook log-ins.

Sakurity's appeal to cyber criminals was born of frustration with the social network, after the site failed to fix the vulnerability Sakurity notified it of a year ago.

The penetration testing firm has now released Reconnect, a tool that lets hackers target websites like Booking.com, Bit.ly, Mashable.com and Vimeo.

Founder Egor Homakov wrote: "Facebook refused to fix this issue one year ago, unfortunately it's time to take it to the next level and give blackhats this simple tool."

There's even an easy to follow guide to help cyber criminals use the tool, telling hackers exactly how to breach these sites' security protocols, presumably in a bid to encourage Facebook to resolve the issue more quickly.

Reconnect works by logging a user into a cyber criminal's Facebook account, and linking the user's account to the hacker's, giving the latter control over the user.

Criminals can start by pasting a Facebook log-out command URL into a web browser, then creating a Canvas application designed to log their victim into their own account.

Canvas applications are web pages loaded within Facebook (i.e. when you click on a link and it brings you to the desired external page, but you still see Facebook's blue borders surrounding the content).

This Canvas application will try and log the user in on the user's account, but Sakurity shows how to redirect that in order to log the user into the hacker's account.

Once that's done, the hacker has direct access to the user's account details, and can "change email/password, cancel bookings, read private messages and so on".

Ken Westin, security researcher at Tripwire, has tested the tool, calling it the real deal.

"I tested this out and it looks legitimate," he said. "This is a phisher's dream really, I am sure we will see a lot of Facebook accounts compromised by this."

But he warned that the threat is even graver when a user relies on the Firefox web browser.

"If a user is logged into Facebook and uses it to log into sites like Mashable or other services, and then clicks on a link that has been created using this vulnerability, an attacker can associate the account with the their Facebook account," he explained.

"The attacker can then log into the victim's Mashable account using stolen Facebook credentials. The user still has to click on a link in order for this to happen and, from what I can tell, also needs to be logged into Facebook."

While Sakurity founder Homakov claimed Facebook had refused to fix this issue a year ago, IT Pro understands this not to be the case.

Further, the social network is exploring the use of automated tools to sniff out and block these kind of hacks, and has contacted hundreds of developers suggesting they change to Facebook's log-in authentication measures, based on the OAuth 2.0 protocol, which would prevent this problem.

A spokesperson for Facebook told IT Pro: "This is a well-understood behaviour. Site developers using Login can prevent this issue by following our best practices and using the state' parameter we provide for OAuth Login.

"We've also implemented several changes to help prevent login Cross-Site Request Forgery  and are evaluating others while aiming to preserve necessary functionality for a large number of sites that rely upon Facebook Login."

Featured Resources

Defeating ransomware with unified security from WatchGuard

How SMBs can defend against the onslaught of ransomware attacks

Free download

The IT expert’s guide to AI and content management

How artificial intelligence and machine learning could be critical to your business

Free download

The path to CX excellence

Four stages to thrive in the experience economy

Free download

Becoming an experience-based business

Your blueprint for a strong digital foundation

Free download

Recommended

Four traits of leaders at connected companies
Whitepaper

Four traits of leaders at connected companies

8 Sep 2021
FTC scolds Facebook for citing it in researcher ban
social media

FTC scolds Facebook for citing it in researcher ban

6 Aug 2021
Senator wants social media companies held liable for spreading anti-vax lies
social media

Senator wants social media companies held liable for spreading anti-vax lies

23 Jul 2021
Facebook asks FTC chair to recuse herself from antitrust case
social media

Facebook asks FTC chair to recuse herself from antitrust case

14 Jul 2021

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Citrix mulling potential sale after tumultuous 2021
mergers and acquisitions

Citrix mulling potential sale after tumultuous 2021

15 Sep 2021
Hackers develop Linux port of Cobalt Strike for new attacks
Security

Hackers develop Linux port of Cobalt Strike for new attacks

14 Sep 2021