IT security firm asks hackers to steal your Facebook log-in

An IT security firm has called on black hat hackers to break into user accounts on websites using Facebook log-ins.

Sakurity's appeal to cyber criminals was born of frustration with the social network, after the site failed to fix the vulnerability Sakurity notified it of a year ago.

The penetration testing firm has now released Reconnect, a tool that lets hackers target websites like Booking.com, Bit.ly, Mashable.com and Vimeo.

Founder Egor Homakov wrote: "Facebook refused to fix this issue one year ago, unfortunately it's time to take it to the next level and give blackhats this simple tool."

There's even an easy to follow guide to help cyber criminals use the tool, telling hackers exactly how to breach these sites' security protocols, presumably in a bid to encourage Facebook to resolve the issue more quickly.

Reconnect works by logging a user into a cyber criminal's Facebook account, and linking the user's account to the hacker's, giving the latter control over the user.

Criminals can start by pasting a Facebook log-out command URL into a web browser, then creating a Canvas application designed to log their victim into their own account.

Canvas applications are web pages loaded within Facebook (i.e. when you click on a link and it brings you to the desired external page, but you still see Facebook's blue borders surrounding the content).

This Canvas application will try and log the user in on the user's account, but Sakurity shows how to redirect that in order to log the user into the hacker's account.

Once that's done, the hacker has direct access to the user's account details, and can "change email/password, cancel bookings, read private messages and so on".

Ken Westin, security researcher at Tripwire, has tested the tool, calling it the real deal.

"I tested this out and it looks legitimate," he said. "This is a phisher's dream really, I am sure we will see a lot of Facebook accounts compromised by this."

But he warned that the threat is even graver when a user relies on the Firefox web browser.

"If a user is logged into Facebook and uses it to log into sites like Mashable or other services, and then clicks on a link that has been created using this vulnerability, an attacker can associate the account with the their Facebook account," he explained.

"The attacker can then log into the victim's Mashable account using stolen Facebook credentials. The user still has to click on a link in order for this to happen and, from what I can tell, also needs to be logged into Facebook."

While Sakurity founder Homakov claimed Facebook had refused to fix this issue a year ago, IT Pro understands this not to be the case.

Further, the social network is exploring the use of automated tools to sniff out and block these kind of hacks, and has contacted hundreds of developers suggesting they change to Facebook's log-in authentication measures, based on the OAuth 2.0 protocol, which would prevent this problem.

A spokesperson for Facebook told IT Pro: "This is a well-understood behaviour. Site developers using Login can prevent this issue by following our best practices and using the state' parameter we provide for OAuth Login.

"We've also implemented several changes to help prevent login Cross-Site Request Forgery and are evaluating others while aiming to preserve necessary functionality for a large number of sites that rely upon Facebook Login."