A researcher has created an easy-to-use tool designed to hijack accounts on websites that use the Facebook Login button, such as Booking.com, About.me, Vimeo, and even news site Mashable.
The tool, called RECONNECT, takes advantage of three bugs in the implementation of the Facebook Login button on those sites, allowing a hacker to take over someone's account after tricking the victim to click on a malicious link. It's important to note that this tool doesn't allow an attacker to take over Facebook accounts, but only accounts on third-party sites that use the Facebook Login button.
Egor Homakov, the researcher who found the bug, claimed that he actually discovered it last year, and that he warned Facebook—but the company didn't listen to him. That's why "it's time to take it to the next level and give blackhats this simple tool," as he wrote in a blog post explaining the bug, published on Thursday.
RECONNECT account hijacker for Facebook Login - free to use and copy http://t.co/pKl8TZmoaE Go be blackhats, don't be shy!
— Egor Homakov (@homakov) March 7, 2015
"Go blackhats, don't be shy!" he wrote on Twitter, apparently encouraging malicious hackers (blackhats) to take advantage of the tool. On Monday, however, Homakov told Motherboard that he created the tool because he had some "spare time" and the information "is public anyway."
Independent security experts have reviewed Homakov's research for Motherboard, and confirmed that the bug is legitimate, although it's unclear whether it still works. This exploit basically allows an attacker to take over a person's "cookie" for the target website and access the victim's account on that site, according to Patrick Nielsen, a security researcher at Kaspersky Lab.
A Facebook spokesperson told Motherboard that this "this is a well-understood behavior" and that it can be prevented by site developers by adopting Facebook's best practices when using the social network's Login button.
"We've also implemented several changes to help prevent login CSRF [Cross-Site Request Forgery] and are evaluating others while aiming to preserve necessary functionality for a large number of sites that rely upon Facebook Login," the spokesperson said, adding that the changes were implemented in the past, not in response to Homakov's recent blog post.
But on Monday morning, Ken Westin, a security analyst at Tripwire, said he tested the bug and it was working.
With his help we then tested the tool on two websites, Booking.com and Mashable. In both cases, Westin was unable to take over my dummy account. But when we tested the tool with Homakov himself, the researcher was able to get into my dummy Mashable account and change the account's bio adding his name to it.
To take over my account, Homakov simply created a custom URL using the tool he created. He then he sent that link to me. I clicked on it, then clicked on "Start RECONNECT" on a page built by Homakov, and voila, my fake Mashable account was now linked to his Facebook account, giving him complete access to it. (The attack only works if the victim is logged into his or her Facebook account when clicking on the link, but that's common for many people, who leave Facebook logged in at all times)
So, should you be worried about this bug?
Regardless of whether the bug was fixed or not, researchers said this was a serious bug.
"This is a phishers dream," Westin said when Motherboard send him the link to the blog post on Monday morning. "It's a really powerful tool for people that are doing phishing."
With this exploit, an attacker could have gained access to a lot of personal data to use in subsequent hacks on more sensitive accounts. That's basically what happened to BuzzFeed's Mat Honan in his infamous "epic" hack while he was at Wired. In that case, a hacker compromised one of Honan's accounts and then moved on to compromise other linked accounts.
"Once you let me access one of your accounts, it's fairly easy to leverage that access to log into additional accounts and gather more information," Ian Amit, the vice president of social media security firm ZeroFOX, told Motherboard.
Obviously, this kind of exploit only works if the victim clicks on the link—but phishing is still one of the most effective ways to hack people.
Also, the victim would have to click on the RECONNECT webpage, although Homakov said that he didn't need to make that page to hijack the account, and that the page was just created for "demo purposes."
So, once again, the best advice to avoid hacks like this is not to click on suspicious links.
"Don't click on anything that seems wrong to you or that seems suspicious," Amit said. "If it's suspicious is probably malicious."