Security Firm Releases Tool That Can Hijack Sites Using Facebook Login

A

Ali Akbar

Popular Pakistani
Staff member
7
 
Messages
2,450
Reaction score
6,809
Points
301
Attention please !

Penetration testing company Sakurity releases Reconnect which exploits Facebook Login vulnerability and allows hackers to take over sites using it.

Pentesting company Sakurity has released new tool allows hackers to generate URLs that can hijack accounts on sites that use Facebook Login. Blaming Facebook for dismal security in its Login options, Sakurity said that they had released the tool to test websites like Booking.com, Bit.ly, About.me, Stumbleupon, Angel.co, Mashable.com, Vimeo and many others.

The tool, dubbed Reconnect, was released last week by Egor Homakov, a researcher with Sakurity and it takes advantage of a cross-site request forgery (CSRF) issue in Facebook Login.

Every website with “Connect Facebook account and log in with it” is vulnerable to account hijacking. Every website relying on signed_request (for example official JS SDK) is vulnerable to account takeover, as soon as an attacker finds a 302 redirect to other domain. I don’t think these will be fixed, as I’ve heard from the Facebook team that it will break compatibility. I really wish they would fix it though as you can see below, I feel these are serious issues,” noted Homakov on his blog then.

Facebook says that it had made it harder for the hackers to exploit the vulnerability without affecting the functionality of the OAuth token. It has also said that sites using the Facebook login authorisation token can prevent exploitation by following their best practices and using the ‘state’ parameter Facebook provides for OAuth Login.”


 

Until this is fixed I think we better turn off the facility of Login with Facebook @Saad Sheikh

Thanks for sharing bro.
 
Until this is fixed I think we better turn off the facility of Login with Facebook @Saad Sheikh

Thanks for sharing bro.
it means m out ..ma account z associated with facebook !
 
login with facebook !! i have not created a separate account for Pakistan.web.pk
wow you really need to worry about your account, I'd highly recommend you go to this page https://www.pakistan.web.pk/account/security and set a password. If it do no allow you then logout and open this page Lost Password | Pakistan Social Web enter your Name or Email and submit, you'll receive email and instructions on how to get a new password :)

Note: no need to remove your facebook association, keep it as it is.
 
Back
Top