Researcher Warns of Account Hijacking Flaws in “Connect with Facebook” Feature


Connect with Facebook is plagued by vulnerabilities

Security researcher Egor Homakov has identified a couple of vulnerabilities that can be exploited to hijack accounts on websites that allow users to authenticate by using their Facebook accounts. Unfortunately, Facebook will not address these issues any time soon.

The first security hole, a CRSF on Facebook.com, can be leveraged by cybercriminals to hijack accounts by replacing the victim’s identity with their own.

The second flaw is related to the use of “signed_request.” An attacker who manages to steal his victim’s signed_request with a 302 redirect to his own domain can log in to the targeted account.

The expert advises developers to stop using signed_requests and turn to more secure alternatives.

Additional technical details on these Connect with Facebook attacks are available on Homakov’s blog. The expert’s post also contains recommendations for developers on how to mitigate these attacks.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s