Security researcher Egor Homakov has identified a couple of vulnerabilities that can be exploited to hijack accounts on websites that allow users to authenticate by using their Facebook accounts. Unfortunately, Facebook will not address these issues any time soon.
The first security hole, a CRSF on Facebook.com, can be leveraged by cybercriminals to hijack accounts by replacing the victim’s identity with their own.
The second flaw is related to the use of “signed_request.” An attacker who manages to steal his victim’s signed_request with a 302 redirect to his own domain can log in to the targeted account.
The expert advises developers to stop using signed_requests and turn to more secure alternatives.
Additional technical details on these Connect with Facebook attacks are available on Homakov’s blog. The expert’s post also contains recommendations for developers on how to mitigate these attacks.