Pierluigi Paganini March 11, 2015

The security expert Egor Homakov from Sakurity firm has released the Reconnect tool that allows hackers to hijack accounts on sites that use Facebook logins.

The security expert Security Egor Homakov has developed a hacking tool dubbed Reconnect that exploit a flaw in Facebook to hijack accounts on sites that use Facebook logins.

Homakov, with works for the pentesting company Sakurity, reported the flaw to Facebook a year ago, but the company doesn’t apply a fix to maintain compatibility with a vast number of websites that used the service of the social network giant for their login process.

Reconnect exploits cross-site request forgery (CSRF) flaws impacting Facebook Login, which allows users to log-in to third-party websites via their Facebook accounts. Basically the vulnerability allows attackers to access victims accounts using Facebook application developed by third-party websites such as Mashable,Vimeo, About.me, Stumbleupon and many others.

“RECONNECT is a ready to use tool to hijack accounts on websites with Facebook Login, for example Booking.com, Bit.ly, About.me, Stumbleupon, Angel.co, Mashable.com, Vimeo and many others,” wrote Homakov in a blog post. “Feel free to copy and modify its source code. Facebook refused to fix this issue one year ago, unfortunately it’s time to take it to the next level and give blackhats this simple tool.”

• Facebook log in
• Facebook log out
• Third-party account connection

Homakov explained that the first two issues “can be fixed by Facebook,” meanwhile the third one needs to be fixed by the website administrators that have integrated “Login with Facebook” feature into their websites.

“This bug abuses triple-CSRFs at once: CSRF on logout, CSRF on login and CSRF on account connection,” he wrote. “#1 and #2 can be fixed by Facebook, #3 must be fixed by website owners. But in theory all of these features must be protected from CSRF.”

The attack allows to link the Facebook account of the attacker to the victim account on the third-party site, in this way a bad actor is able to log into that account directly and change its settings (i.e. password, email addresses).

“Now our Facebook account is connected to the victim account on that website and we can log in that account directly to change email/password, cancel bookings, read private messages and so on,” said Homakov.

The attack is quite simple, as explained by Homakov, it works by creating a link that when clicked on logs the victim out of it account and into a Facebook account under the control of the attacker.

“It simply relogins you into attacker’s facebook account and connects attacker’s facebook to your account” states the expert.

Facebook said that that website developers using Login can prevent the Reconnect attack by following the best practices suggested by the company and using the ‘state’ parameter implemented for OAuth Login.

“We’ve also implemented several changes to help prevent login CSRF and are evaluating others while aiming to preserve necessary functionality for a large number of sites that rely upon Facebook Login,” the spokesperson noted.

Facebook provides a provided guidance to developers that want to integrate the feature in their websites.The flaw discovered by Homakov is a very serious issue due to the large number of websites that implements the feature.

To mitigate the exposure to possible attacks with the Reconnect tool it is suggested to avoid clicking suspicious URLs provided via emails, online messages or shared through social media.

Pierluigi Paganini

(Security Affairs –  Reconnect, Facebook)