Tool Hijacks Accounts on Sites Using Facebook Login
You are here
A security researcher has released a tool that allows hackers to hijack accounts on sites that use Facebook logins.
The tool is called Reconnect, and was developed by Egor Homakov, a researcher with security auditing firm Sakurity. Reconnect works by exploiting cross-site request forgery (CSRF) issues impacting Facebook Login, which enables users to log-in to third-party websites via their Facebook accounts.
Essentially, the attack works by creating a link that when clicked on logs the victim out of their legitimate account and into a Facebook account under the control of the attacker. The attack connects the Facebook account of the attacker to the victim account on the third-party site, allowing the attacker to log into that account directly and change information such as email addresses, passwords and so on.
"RECONNECT is a ready to use tool to hijack accounts on websites with Facebook Login, for example Booking.com, Bit.ly, About.me, Stumbleupon, Angel.co, Mashable.com, Vimeo and many others," blogged Homakov. "Feel free to copy and modify its source code. Facebook refused to fix this issue one year ago, unfortunately it’s time to take it to the next level and give blackhats this simple tool.
For more details
see [source] http://www.securityweek.com/tool-hijacks-accounts-sites-using-facebook-login