Penetration testing company Sakurity has openly named and blamed Facebook over a security vulnerability that it says exists on websites with a Facebook login option.
In a direct call to black hat hackers, Sakurity has created RECONNECT as a ready to use tool to hijack accounts on websites including Booking.com, Bit.ly, About.me, Stumbleupon, Angel.co, Mashable.com, Vimeo and many others.
“Feel free to copy and modify [the RECONNECT] source code,” says Sakurity founder Egor Homakov. “Facebook refused to fix this issue one year ago, unfortunately it’s time to take it to the next level and give black hats this simple tool.”
Sakurity offers a clearly detailed step-by-step process for implementing RECONNECT on its blog. Starting with a Facebook logout command to be pasted into a URL bar, the company then instructs hackers to use a Canvas application to log into its own Facebook account. “Previously, a simple Referer-free request did the job, but it’s been a while and Facebook has made a (lame) attempt to fix it,” claims Homakov.
For clarity here, an HTTP referer (misspelling intentional) is part of the operating parameters of HTTP header fields – basically, they work to help identify the address of a website and where the user was on the web before they clicked.
Deeply integrated into Facebook
According to Facebook’s developer pages, Canvas is a frame to put an application or game directly onto the social site itself. “Building a Canvas app on Facebook gives you the opportunity to deeply integrate into the core Facebook experience. Your app can integrate with many aspects of Facebook, including the News Feed and Notifications. All of the core Facebook Platform technologies, such as Graph API, Facebook Login and Payments are available within Canvas apps.”
Sakurity explains how to navigate around Facebook’s JavaScript and existing login intelligence using a special redirect command. This will drive ‘victims’ to a specified location where they are in fact logged into the Sakurity Facebook account. Sakurity then triggers the Facebook login that a user would expect on the client website so that its account is connected to the victim’s account.
Homakov says that from that point, Sakurity can log in that user’s account directly to change email/password, cancel bookings, read private messages and so on.
Triple cross-site request forgery bypass
This bug abuses triple-CSRFs (Cross-Site Request Forgery) at once: CSRF on logout, CSRF on login and CSRF on account connection. CSRF #1 and #2 can be fixed by Facebook says Homakov, but #3 must be fixed by website owners. “In theory all of these features must be protected from CSRF,” he said.
Steve Nice is a certified ethical hacker and CTO at secure hosting experts Reconnix. Nice spoke toSCMagazineUK.com to say: “This is an elegant exploitation of third party authorisation methods and has real potential for use not only with Facebook but indeed with many “Log in using X” methods. In light of this, I would advise businesses to update a potential hole in their security policies and encourage staff to use complex, unique passwords for applications rather than third-party log in methods.”
Homakov’s openness with this hacking information is certainly pronounced. If we can assume that Facebook eventually addresses all security vulnerabilities competently in the long run, the malicious route to user compromise described here still offers a lesson for all security practitioners.