A bug in Facebook login that a Sakurity.com blog said the social network has failed to fix after a year allows attackers to compromise accounts on websites that leverage Facebook Login, notably, Bit.ly, About.me, Stumbleupon, Angel.co, Mashable.com, Vimeo and others.
The post, penned by Egor Homakov, noted that “this bug abuses triple-CSRFs at once: CSRF on logout, CSRF on login and CSRF on account connection.” The first two “can be fixed by Facebook,” Homakov said, noting the company has yet to do so, despite his warning over a year ago. “#3 must be fixed by website owners.” He said that because Facebook had not addressed the bug, he was taking what he calls Reconnect “to the next level and give blackhats this simple tool.”
The blog post takes would-be attackers through a step-by-step process for setting up rogue Facebook accounts that victims are redirected to when they click on malicious URLs. The same thing happens when they use Facebook login on websites like Mashable.Once a “Facebook account is connected to the victim account on that website and we can log in that account directly to change email/password, cancel bookings, read private messages and so on,” the blog said.
Ken Westin, senior security analyst at Tripwire, tested the tool, and in a statement sent to SCMagazine.com, said “it looks legitimate.” Westin called it "a phishers dream really,” and predicted “we will see a lot of Facebook accounts compromised by this.”
In addition to the bug, Westin found “another proof-of-concept that avoids the window popping up specifically on Firefox.”
If a user is logged into Facebook and opts to sign into a third-party site that leverages Facebook Login, such as Mashable, “and then clicks on a link that has been created using this vulnerability, an attacker can associate the account with their Facebook account,” Westin said, ultimately stealing credentials to log into a victim's Mashable account. “The user still has to click on a link in order for this to happen and, from what I can tell, also needs to be logged into Facebook.”
Branden Spikes, CEO of Spikes Security, in a statement sent to SCMagazine.com called the bug “a very big issue.” He called into question claims that Facebook had refused to fix the problem.
“Also, giving Facebook a little benefit of the doubt here, this looks like an instance of an unfortunate practice where black hats or corrupt penetration testing firms discover big vulnerabilities like this, and rather than submitting them through the standard bug bounty channels (or on the terms of their professional contract with the victim) they choose to ransom them instead,” he said. “When a victim company doesn't pay the ransom, the penetration testing firm goes public with it, claiming the victimized company ‘refused to fix' the issue.”
Spikes speculated that “Facebook is keen to get ahold of the details and remedy the problem very quickly, so that the window of opportunity for exploit will be quite short.”
A Facebook spokesman told SCMagazineUK.com via email: “This is a well-understood behaviour. Site developers using Login can prevent this issue by following our best practices and using the ‘state' parameter we provide for OAuth Login. We've also implemented several changes to help prevent login CSRF and are evaluating others while aiming to preserve necessary functionality for a large number of sites that rely upon Facebook Login.”