Egor Homakov, a researcher from the security firm Sakurity, has released a new tool to hijack accounts on sites that use Facebook Login. The tool works based on a security weakness in the Facebook Login service, which Homakov had disclosed in January 2014. At the time, Facebook had no interest in fixing the issue, because it would have broken compatibility with many third-party sites that use the service. In order to force their hand and get Facebook to deal with the issue, Homakov released the tool to hijack accounts with an explanation on how it works on his blog.
The tool works by creating URLs which, when clicked, will log a user out of their Facebook account and into a rogue account set up by the attacker. Then the victim’s accounts on sites that use Facebook Login will be linked to the rogue Facebook account without their knowledge, giving the attacker access to those accounts. Using this tool, an attacker can gain access to accounts to accounts on a large number of sites that use Facebook Login, including Booking.com, Bit.ly, About.me, Stumbleupon, Angel.co, Mashable and Vimeo.
According to Homakov this exploit works because Facebook lacks protection against cross-site request forgery. Specifically there are 3 areas that lack CSRF protection: Facebook login, Facebook logout, and third-party account connection. Although Facebook can fix the first two, it is up to third-party sites secure their connection to Facebook accounts.
Facebook has taken some steps to deal with this issue. They have made changes to secure the login function against CSRF attacks. Facebook now issues guidelines to third-parties that integrate Facebook Login, informing them of the issue and how to deal with it. A statement by Facebook claims that websites can prevent this attack by following the best practices they provide to third-party developers. However it’s hard for a user to know if third-party sites have actually followed the best practices. The safest way to avoid this, and many other nasty attacks, is to avoid clicking suspicious links.
Do you think Facebook has done enough to deal with this issue? Leave your comments below.