Hackers Can Now Use One Free Tool To Hijack Your Facebook-Linked Login For Pretty Much Any Site

Modern life means logging in to about a zillion different websites and apps every week, with about a zillion different accounts. But there are ways to streamline it all — for example, logging in to everything with your Facebook account, as millions do. That’s much more convenient not only for you, but for hackers who have a new way to target you: a free, easy-to-download tool that exploits a bug in those logins to let them hijack your account. Oops.

The researcher who discovered the bug and designed the tool set it loose in the wild last week, Vice’s Motherboard site reports, after claiming Facebook ignored his reports of the problem.

The tool basically works by allowing an attacker to worm their way into a user’s cookies for a specific website and then access their account on that site.

A representative for Facebook told Motherboard that the issue was indeed “well-understood” from last year, and that changes had been made in the past that should help prevent cross-site request forgery. However, Motherboard — with the aid of an outside security expert — tested the tool themselves on two different sites, with mixed results. In two instances it didn’t work; in a third, it did. As they explain:

To take over my account, Homakov [the researcher who wrote the tool] simply created a custom URL using the tool he created. He then he sent that link to me. I clicked on it, then clicked on “Start RECONNECT” on a page built by Homakov, and voila, my fake Mashable account was now linked to his Facebook account, giving him complete access to it. (The attack only works if the victim is logged into his or her Facebook account when clicking on the link, but that’s common for many people, who leave Facebook logged in at all times.)

The security expert Motherboard spoke with confirmed that the flaw is a serious issue, but there is good news: this vulnerability doesn’t just strike out of nowhere. In order to have their logins hijacked, users first need to have clicked on a malicious link, as in a phishing e-mail.

And so although this is a newly-reported vulnerability, age-old internet advice from twenty years ago still applies: be careful what you click. If it looks suspicious, assume it is.

Facebook-Linked Accounts Can Be Hijacked with This Tool [Vice Motherboard]