In a direct call to black hat hackers, Sakurity has created RECONNECT as a ready to use tool to hijack accounts on websites including Booking.com, Bit.ly, About.me, Stumbleupon, Angel.co, Mashable.com, Vimeo and many others.
“Feel free to copy and modify [the RECONNECT] source code,” says Sakurity founder Egor Homakov. “Facebook refused to fix this issue one year ago, unfortunately it's time to take it to the next level and give black hats this simple tool.”
Facebook denies that it has refused to fix the issue, emphasising that it evaluates the trade-offs entailed in making changes. A Facebook spokesman told SCMagazineUK.com via emal: “This is a well-understood behaviour. Site developers using Login can prevent this issue by following our best practices and using the ‘state' parameter we provide for OAuth Login. We've also implemented several changes to help prevent login CSRF and are evaluating others while aiming to preserve necessary functionality for a large number of sites that rely upon Facebook Login.”
Sakurity had offered a clearly detailed step-by-step process for implementing RECONNECT on its blog. Starting with a Facebook logout command to be pasted into a URL bar, the company then instructs hackers to use a Canvas application to log into its own Facebook account. “Previously, a simple Referer-free request did the job, but it's been a while and Facebook has made a (lame) attempt to fix it,” claims Homakov.
For clarity here, an HTTP referer (misspelling intentional) is part of the operating parameters of HTTP header fields - basically, they work to help identify the address of a website and where the user was on the web before they clicked.
Deeply integrated into Facebook
According to Facebook's developer pages, Canvas is a frame to put an application or game directly onto the social site itself. “Building a Canvas app on Facebook gives you the opportunity to deeply integrate into the core Facebook experience. Your app can integrate with many aspects of Facebook, including the News Feed and Notifications. All of the core Facebook Platform technologies, such as Graph API, Facebook Login and Payments are available within Canvas apps.”
Homakov says that from that point, Sakurity can log in that user's account directly to change email/password, cancel bookings, read private messages and so on.
Triple cross-site request forgery bypass
This bug abuses triple-CSRFs (Cross-Site Request Forgery) at once: CSRF on logout, CSRF on login and CSRF on account connection. CSRF #1 and #2 can be fixed by Facebook says Homakov, but #3 must be fixed by website owners. “In theory all of these features must be protected from CSRF,” he said.
Nimrod Luria, co-Founder and CTO at Sentrix, provider of Cloud-DMZ, a solution protecting enterprises against web attacks such the Reconnect exploit, told SCMagazineUK.com: "The Reconnect bug proves once again that traditional web security technologies fail to protect against the simplest and most well-known attack vectors like Cross Site Request Forgery (CSRF) and Facebook's Image parsing bug (Facebook allows running a script within an image tag), resulting in account hijacking. The question is why does Facebooks refuse to fix this problem for over a year. In my opinion Facebook is concerned that a fix will cause backward compatibility issues for all Facebook connected apps. Supporting backward compatibility would require a massive change on Facebook's side. Yet I think it's now time for Facebook to get to work. It's critical for all Apps developers implementing Facebook Login to be aware that they are exposed. Since Facebook is leaving its developers exposed, they'll have to take action to protect their users: they must review any code that implements Facebook Login, secure the code to prevent CSRF and issue a patch ASAP.”
Steve Nice, a certified ethical hacker and CTO at secure hosting experts Reconnix told SCMagazineUK.com: "This is an elegant exploitation of third party authorisation methods and has real potential for use not only with Facebook but indeed with many "Log in using X" methods. In light of this, I would advise businesses to update a potential hole in their security policies and encourage staff to use complex, unique passwords for applications rather than third-party log in methods."
Homakov's openness with this hacking information is certainly pronounced. We understand that Facebook is investigating automated tools to help detect and block this behaviour and so will eventually addresses all security vulnerabilities competently in the long run, but the malicious route to user compromise described here still offers a lesson for all security practitioners.