Facebook is the social networking site having millions if users online. A security researcher posted that #Facebook is having poor security feature and proved it. He has released a hack tool that can be used to hijack any user accounts.
He disclosed the vulnerability on his blogspot and Facebook declined to fix that issue and so he developed a tool that can be used by attackers to hijack the Facebook account. The tool was named as #Reconnect. It exploits the Cross - Site Request Forgery ( CSRF ) vulnerability present in the Facebook page.
Actually this tool uses the method that many e-Commerce websites use Facebook Login as a authorisation token for logging into their websites and this can be used by an attacker to hijack such web accounts with ease. It also opens door for phishing attacks.
When the potential victim is tricked to click into this URL they are logged out of their Facebook accounts and into cloned accounts on the network set up by the attackers. While at the same time the victim accounts on websites that use Facebook login get linked to those cloned accounts.
This allows an attacker to gain access over victim's accounts on the third party sites, allowing them to change passwords, read private messages and perform other malicious actions.
The developer provides a step by step tutorial how to use the tool. Reconnect can hijack accounts on Booking.com, Bit.ly, About.me, Stumbleupon, Angel.co, Mashable and Vimeo and many other sites that supports Facebook login portal.
The complete tutorial about the usage of the tool can be found here.
Facebook says that it had made it harder for attacker to exploit the vulnerability without affecting the functionality of the Authentication token.
P.S : The post is to create awareness and not to be misused.
No comments:
Post a Comment