Reconnect is a tool that gives attackers the chance to hijack accounts on sites relying on Facebook login. The tool was developed by security researcher Egor Homakov in response to Facebook’s refusal to fix a cross-site request bug in Facebook Login due to potential problems with compatibility.
The developer of the tool wrote in his blog that every website connected to Facebook via login is exposed to phishing threats. The second an attacker finds a 302 redirect to another domain, the account in question may be hijacked.
Homakov disclosed his communication with the Facebook team. Acknowledged by his concerns, the team wrote that they were aware of this matter but they didn’t have a systematic solution. The team also mentioned that the scale of the problem was debatable.
一方, Homakov emphasizes that despite the fact that Facebook’s business approach is understandable, one should never hesitate between security and compatibility.
What Does Reconnect Do?
The tool exploits the lack of CSRF (Cross-Site Request Forgery) protection which involves three processes – Facebook log in, log out and third-party account connections. Facebook is capable of solving the first two, but won’t do so because of the reason mentioned above. The third issue, しかしながら, must be solved by websites owners who chose to integrate the Login with Facebook functionality.
Reconnect generates malicious URLs. Once a user is lured into clicking them, they are logged out of their profile and logged in to a rogue account created by the hacker. This enables the attacker to intervene with all the private data the user has on the third-party website.
Instead of fixing the issue, Facebook decided to make things more difficult for hijacker by implementing few changes to avoid CSRF login. The giant has also released a guidance to developers which explains how to integrate the Login Dialogs in all cases.
While Homakov’s actions may seem exaggerated to some, the developer successfully drew attention to a potential exploit threat. His advice towards businesses and users is not using the login provided by Facebook. In his words, passwords are a far better choice.