Even after almost a year, Facebook
apparently has failed to fix a bug that lets attackers hijack accounts
on sites that leverage Facebook login such as Mashable, Bit.ly, About.me
Vimeo, Angel.co and Stumbleupon etc., reveal Sakurity.com’s blog post.
Egor Homakov, the author of the post, identified that “this bug abuses triple-CSRFs at once: CSRF on logout, CSRF on login and CSRF on account connection.”
Homakov states that despite warning from his side, Facebook has failed in eliminating the bug.
He continues “the first two can be fixed by Facebook. #3 must be fixed by website owners.”
Since Facebook has ignored the bug, therefore, he will initiate what Homakov terms as Reconnect “to the next level and give blackhats this simple tool.”
In the blog post, Homakov has revealed the step-by-step process for creating rogue Facebook accounts for redirecting victims when they click on infected URLs. Same thing occurs when users visit sites like Mashable through their Facebook login credentials.
Egor Homakov, the author of the post, identified that “this bug abuses triple-CSRFs at once: CSRF on logout, CSRF on login and CSRF on account connection.”
Homakov states that despite warning from his side, Facebook has failed in eliminating the bug.
He continues “the first two can be fixed by Facebook. #3 must be fixed by website owners.”
Since Facebook has ignored the bug, therefore, he will initiate what Homakov terms as Reconnect “to the next level and give blackhats this simple tool.”
In the blog post, Homakov has revealed the step-by-step process for creating rogue Facebook accounts for redirecting victims when they click on infected URLs. Same thing occurs when users visit sites like Mashable through their Facebook login credentials.
No comments:
Post a Comment