Security Firm Releases Tool That Can Hijack Sites Using Facebook Login

A

Ali Akbar

Popular Pakistani
Staff member
2,443
6,708
301
Attention please !

Penetration testing company Sakurity releases Reconnect which exploits Facebook Login vulnerability and allows hackers to take over sites using it.

Pentesting company Sakurity has released new tool allows hackers to generate URLs that can hijack accounts on sites that use Facebook Login. Blaming Facebook for dismal security in its Login options, Sakurity said that they had released the tool to test websites like Booking.com, Bit.ly, About.me, Stumbleupon, Angel.co, Mashable.com, Vimeo and many others.

The tool, dubbed Reconnect, was released last week by Egor Homakov, a researcher with Sakurity and it takes advantage of a cross-site request forgery (CSRF) issue in Facebook Login.

Every website with “Connect Facebook account and log in with it” is vulnerable to account hijacking. Every website relying on signed_request (for example official JS SDK) is vulnerable to account takeover, as soon as an attacker finds a 302 redirect to other domain. I don’t think these will be fixed, as I’ve heard from the Facebook team that it will break compatibility. I really wish they would fix it though as you can see below, I feel these are serious issues,” noted Homakov on his blog then.

Facebook says that it had made it harder for the hackers to exploit the vulnerability without affecting the functionality of the OAuth token. It has also said that sites using the Facebook login authorisation token can prevent exploitation by following their best practices and using the ‘state’ parameter Facebook provides for OAuth Login.”


 
A

Ali Akbar

Popular Pakistani
Staff member
2,443
6,708
301
@Veer @Saad Sheikh @M Shah @Kool Kat @Neha @Namaal @Twilight and all concerned.
 

Veer

Veer

Famous Pakistani
Staff member
34,551
43,125
3,701
  • I love posting
  • Master of the posting
  • Posting star
  • Undisputed champion
  • Medal of Outstanding Services
  • Medal of Patriotic Pakistani
  • Highest-Posting Member
  • Fast and Furious
Until this is fixed I think we better turn off the facility of Login with Facebook @Saad Sheikh

Thanks for sharing bro.
 
M Shah

M Shah

Star Pakistani
14,851
48,225
1,451
Until this is fixed I think we better turn off the facility of Login with Facebook @Saad Sheikh

Thanks for sharing bro.
it means m out ..ma account z associated with facebook !
 
Veer

Veer

Famous Pakistani
Staff member
34,551
43,125
3,701
  • I love posting
  • Master of the posting
  • Posting star
  • Undisputed champion
  • Medal of Outstanding Services
  • Medal of Patriotic Pakistani
  • Highest-Posting Member
  • Fast and Furious
login with facebook !! i have not created a separate account for Pakistan.web.pk
wow you really need to worry about your account, I'd highly recommend you go to this page https://www.pakistan.web.pk/account/security and set a password. If it do no allow you then logout and open this page Lost Password | Pakistan Social Web enter your Name or Email and submit, you'll receive email and instructions on how to get a new password :)

Note: no need to remove your facebook association, keep it as it is.
 
M Shah

M Shah

Star Pakistani
14,851
48,225
1,451

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Top
AdBlock Detected
Your browser is blocking advertisements. We're strongly asking to disable ad blocker while you're browsing in Pakistan.web.pk. You may not be aware but any visitor supports our site by just viewing and visiting ads.

آپ کے ویب براؤزر میں ایڈ بلاکر انسٹال ہے، مہربانی کرکے اسے پاکستان ویب پر ڈس ایبل رکھیں ۔ شاید آپ کو معلوم نہ ہو مگر سپانسر اشتہارات کو دیکھ کر ہی آپ پاکستان ویب کو سپورٹ کرتے ہیں۔ سپانسر اشتہارات سے ویب سائٹ کے اخراجات ادا کرنے میں تھوڑی سی ہی سہی مگر مدد ملتی ہے، اس لئے ابھی اپنے براؤزر کی آپشنز میں جاکر ایڈ بلاکر بند کر دیں، شکریہ

I've Disabled AdBlock    No Thanks