TR Member Perks!

Egor Homakov, a researcher from the security firm Sakurity, has released a new tool to hijack accounts on sites that use Facebook Login. The tool works based on a security weakness in the Facebook Login service, which Homakov had disclosed in January 2014. At the time, Facebook had no interest in fixing the issue, because it would have broken compatibility with many third-party sites that use the service. In order to force their hand and get Facebook to deal with the issue, Homakov released the tool to hijack accounts with an explanation on how it works on his blog.

The tool works by creating URLs which, when clicked, will log a user out of their Facebook account and into a rogue account set up by the attacker. Then the victim’s accounts on sites that use Facebook Login will be linked to the rogue Facebook account without their knowledge, giving the attacker access to those accounts. Using this tool, an attacker can gain access to accounts to accounts on a large number of sites that use Facebook Login, including Booking.com, Bit.ly, About.me, Stumbleupon, Angel.co, Mashable and Vimeo.

According to Homakov this exploit works because Facebook lacks protection against cross-site request forgery. Specifically there are 3 areas that lack CSRF protection: Facebook login, Facebook logout, and third-party account connection. Although Facebook can fix the first two, it is up to third-party sites secure their connection to Facebook accounts.

Facebook has taken some steps to deal with this issue. They have made changes to secure the login function against CSRF attacks. Facebook now issues guidelines to third-parties that integrate Facebook Login, informing them of the issue and how to deal with it. A statement by Facebook claims that websites can prevent this attack by following the best practices they provide to third-party developers. However it’s hard for a user to know if third-party sites have actually followed the best practices. The safest way to avoid this, and many other nasty attacks, is to avoid clicking suspicious links.

Do you think Facebook has done enough to deal with this issue? Leave your comments below.


Max Michael

Senior Writer

I’m a technology reporter located near the Innovation District of Kitchener-Waterloo, Ontario.



  • penguinman

    This is exactly why the “login with X” trend is a terrible idea, at least on sites that have any kind of personal or financial info at all. Seperate, secure passwords on every site that has any kind of sensitive info at all, and turn on 2 factor if enabled.

  • TheCybercoco

    Actually, the safest way to avoid this is to have never connected the account to 3rd party sites to begin with. I never felt safe about that technology. Glad I never did.

  • Nick

    Actually the safest way to avoid this is a lot simpler: Stop trying to use facebook as a be-all login method. Create seperate accounts for everything with different passwords.