A
Ali Akbar
Popular Pakistani
Staff member
7
- Messages
- 2,450
- Reaction score
- 6,809
- Points
- 301
Attention please !
Penetration testing company Sakurity releases Reconnect which exploits Facebook Login vulnerability and allows hackers to take over sites using it.
Pentesting company Sakurity has released new tool allows hackers to generate URLs that can hijack accounts on sites that use Facebook Login. Blaming Facebook for dismal security in its Login options, Sakurity said that they had released the tool to test websites like Booking.com, Bit.ly, About.me, Stumbleupon, Angel.co, Mashable.com, Vimeo and many others.
The tool, dubbed Reconnect, was released last week by Egor Homakov, a researcher with Sakurity and it takes advantage of a cross-site request forgery (CSRF) issue in Facebook Login.
“Every website with “Connect Facebook account and log in with it” is vulnerable to account hijacking. Every website relying on signed_request (for example official JS SDK) is vulnerable to account takeover, as soon as an attacker finds a 302 redirect to other domain. I don’t think these will be fixed, as I’ve heard from the Facebook team that it will break compatibility. I really wish they would fix it though as you can see below, I feel these are serious issues,” noted Homakov on his blog then.
Facebook says that it had made it harder for the hackers to exploit the vulnerability without affecting the functionality of the OAuth token. It has also said that sites using the Facebook login authorisation token can prevent exploitation by following their best practices and using the ‘state’ parameter Facebook provides for OAuth Login.”
Penetration testing company Sakurity releases Reconnect which exploits Facebook Login vulnerability and allows hackers to take over sites using it.
Pentesting company Sakurity has released new tool allows hackers to generate URLs that can hijack accounts on sites that use Facebook Login. Blaming Facebook for dismal security in its Login options, Sakurity said that they had released the tool to test websites like Booking.com, Bit.ly, About.me, Stumbleupon, Angel.co, Mashable.com, Vimeo and many others.
The tool, dubbed Reconnect, was released last week by Egor Homakov, a researcher with Sakurity and it takes advantage of a cross-site request forgery (CSRF) issue in Facebook Login.
“Every website with “Connect Facebook account and log in with it” is vulnerable to account hijacking. Every website relying on signed_request (for example official JS SDK) is vulnerable to account takeover, as soon as an attacker finds a 302 redirect to other domain. I don’t think these will be fixed, as I’ve heard from the Facebook team that it will break compatibility. I really wish they would fix it though as you can see below, I feel these are serious issues,” noted Homakov on his blog then.
Facebook says that it had made it harder for the hackers to exploit the vulnerability without affecting the functionality of the OAuth token. It has also said that sites using the Facebook login authorisation token can prevent exploitation by following their best practices and using the ‘state’ parameter Facebook provides for OAuth Login.”