Egor Homakov discovered that the “Sign-in or Login with Facebook” is the gateway to allowing access to your Facebook account. Those Hackers didn’t get your passward but they can access your account via a third part app like Bit.ly, Mashable, Vimeo, About.me, Stumbleupon, Angel.co and possibly many more.
So avoid using your Facebook account on different platforms, because if you won’t you will eventually be a victim of cyber crime. The most interesting thing about that the Facebook knew about this flaw from a year according to Egor Homakov. But they were not able to fix it because of the large number of sites use this service for their log-in. Because Facebook is still the largest social networking site in the globe.
Egor Homakov provided the step-by-step instruction in a blog post to setup a rogue FB account to which the victims are redirected to after they get tricked to clicking the malicious URLs generated by the attackers with the Reconnect tool.
The flaw abuses the lack of CSRF protection for the following processes:
Egor Homakov added that Facebook cannot fix the third issue which is ‘Third party account connection”. It can only be fixed by the website admin who installed the Log-in with Facebook feature in its website. The other two vulnerabilities can be fixed by the Facebook.
The attack allows to link the Facebook account of the attacker to the
victim account on the third-party site, in this way a bad actor is able
to log into that account directly and change its settings (i.e.
password, email addresses).
Egor Homakov explained that the attack is quite easy. It works by creating a link that when clicked on logs the victim out of it account and into a Facebook account under the control of the attacker.it works by creating a link that when clicked on logs the victim out of it account and into a Facebook account under the control of the attacker.
Facebook also released an statement that, ” We’ve also implemented several changes to help prevent log-in CSRF and are evaluating others while aiming to preserve necessary functionality for a large number of sites that rely upon Facebook Log-in,”
Industrial Cybersecurity
September 28, 2023
Want always be up to date?
By subscribing to our mailing list, you will be enrolled to receive our new trainings, latest blog posts, product news, and more.
Transform your cybersecurity skills with CIP Cyber’s comprehensive training & course offerings
Have you heard about the term “test automation” but don’t really know what it is? Well, you’ve come to the right page! Get all your
This article explores the idea of discovering the victim’s location. Previously, we have used several tools for OSINT purposes, so, today let us try this
Can random characters in your code get you in trouble? They certainly can! Today, we are going to discuss CRLF injections and improper neutralization of
Want always be up to date?
By subscribing to our mailing list, you will be enrolled to receive our new trainings, latest blog posts, product news, and more.
Transform your cybersecurity skills with CIP Cyber’s comprehensive training & course offerings
