Egor Homakov discovered that the “Sign-in or Login with Facebook” is the gateway to allowing access to your Facebook account. Those Hackers didn’t get your passward but they can access your account via a third part app like Bit.ly, Mashable, Vimeo, About.me, Stumbleupon, Angel.co and possibly many more.
So avoid using your Facebook account on different platforms, because if you won’t you will eventually be a victim of cyber crime. The most interesting thing about that the Facebook knew about this flaw from a year according to Egor Homakov. But they were not able to fix it because of the large number of sites use this service for their log-in. Because Facebook is still the largest social networking site in the globe.
Egor Homakov provided the step-by-step instruction in a blog post to setup a rogue FB account to which the victims are redirected to after they get tricked to clicking the malicious URLs generated by the attackers with the Reconnect tool.
The flaw abuses the lack of CSRF protection for the following processes:
- Facebook Log-in.
- Facebook Log-out.
- Third Party account connection.
Egor Homakov added that Facebook cannot fix the third issue which is ‘Third party account connection”. It can only be fixed by the website admin who installed the Log-in with Facebook feature in its website. The other two vulnerabilities can be fixed by the Facebook.
The attack allows to link the Facebook account of the attacker to the
victim account on the third-party site, in this way a bad actor is able
to log into that account directly and change its settings (i.e.
password, email addresses).
Egor Homakov explained that the attack is quite easy. It works by creating a link that when clicked on logs the victim out of it account and into a Facebook account under the control of the attacker.it works by creating a link that when clicked on logs the victim out of it account and into a Facebook account under the control of the attacker.
Facebook also released an statement that, ” We’ve also implemented several changes to help prevent log-in CSRF and are evaluating others while aiming to preserve necessary functionality for a large number of sites that rely upon Facebook Log-in,”