Even after almost a year, Facebook apparently has failed to fix a bug that lets attackers hijack accounts on sites that leverage Facebook login such as Mashable, Bit.ly, About.me Vimeo, Angel.co and Stumbleupon etc., reveal Sakurity.com’s blog post.
Egor Homakov, the author of the post, identified that “this bug abuses triple-CSRFs at once: CSRF on logout, CSRF on login and CSRF on account connection.”
Homakov states that despite warning from his side, Facebook has failed in eliminating the bug.
He continues “the first two can be fixed by Facebook. #3 must be fixed by website owners.”
Since Facebook has ignored the bug, therefore, he will initiate what Homakov terms as Reconnect “to the next level and give blackhats this simple tool.”
In the blog post, Homakov has revealed the step-by-step process for creating rogue Facebook accounts for redirecting victims when they click on infected URLs. Same thing occurs when users visit sites like Mashable through their Facebook login credentials.
After connecting a Facebook account “to the victim account on that website and we can log in that account directly to change email/password, cancel bookings, read private messages and so on,” reveals Homakov.
Tripwire’s senior security analyst Ken Westin tested the tool and stated that “it looks legitimate,” and “a phishers dream really,” further adding that “we will see a lot of Facebook accounts compromised by this.”
Additionally, Westin identified “another proof-of-concept that avoids the window popping up specifically on Firefox.”
While being logged into Facebook a user can choose to sign in to any of the third party websites that leverage Facebook login like Mashable and “then clicks on a link that has been created using this vulnerability, an attacker can associate the account with their Facebook account,” states Westin. Attacker can ultimately steal credentials for logging into the victim’s Mashable account. “The user still has to click on a link in order for this to happen and, from what I can tell, also needs to be logged into Facebook.”
Spikes Security CEO Branden Spikes states that this bug “is a very big issue.” He also criticized Facebook’s failure in fixing the problem.
“Also, giving Facebook a little benefit of the doubt here, this looks like an instance of an unfortunate practice where black hats or corrupt penetration testing firms discover big vulnerabilities like this, and rather than submitting them through the standard bug bounty channels (or on the terms of their professional contract with the victim) they choose to ransom them instead. When a victim company doesn’t pay the ransom, the penetration testing firm goes public with it, claiming the victimized company ‘refused to fix’ the issue,” added Spikes.
Spikes also speculated that Facebook is pretty “keen to get a hold of the details and remedy the problem very quickly, so that the window of opportunity for exploit will be quite short.”
On the other hand, Facebook’s spokesperson says that:
“This is a well-understood behavior. Site developers using Login can prevent this issue by following our best practices and using the ‘state’ parameter we provide for OAuth Login. We’ve also implemented several changes to help prevent login CSRF and are evaluating others while aiming to preserve necessary functionality for a large number of sites that rely upon Facebook Login.”