1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Free BlackHat Tool Lets You Hijack Facebook Accounts

Discussion in 'BlackHat Lounge' started by The Scarlet Pimp, Mar 12, 2015.

  1. The Scarlet Pimp

    The Scarlet Pimp Senior Member

    Joined:
    Apr 2, 2008
    Messages:
    877
    Likes Received:
    3,311
    Occupation:
    Chair moistener.
    Location:
    Cyberspace
    Last week, a security firm researcher released a free tool that allows hackers to access accounts on sites that use Facebook Login. The researcher, Egor Homakov, first wrote about the flaw he'd found in the login in Jan. 2014.

    However, Facebook said they would not fix the issue because it would have disrupted the login feature's compatibility with many websites. Now Homakov has taken it upon himself to teach Facebook a lesson and release a tool called Reconnect that takes advantage of the loophole.

    "Facebook refused to fix this issue one year ago, unfortunately it's time to take it to the next level and give blackhats this simple tool" he wrote in a blog post.

    Reconnect works by generating malicious URLs that, when clicked, log users out of their own Facebook accounts and into accounts set up by hackers. That then gives the attackers control over the victim's account.

    The tool can generate fake links for sites including Mashable, Vimeo, Bit.ly, Stumbleupon and more. For its part, Facebook has said that it is aware of the flaws Homakov is taking advantage of, and if sites that use the Login feature take the proper steps to protect themselves they should not have any issues.

    http://sakurity.com/blog/2015/03/05/RECONNECT.html

    http://facecrooks.com/Internet-Safe...rs-Hijack-Accounts-Using-Facebook-Login.html/
     
  2. RuthSam

    RuthSam Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 19, 2010
    Messages:
    3,813
    Likes Received:
    976
    Gender:
    Male
    Home Page:
    And where do you download the tool?
     
  3. The Scarlet Pimp

    The Scarlet Pimp Senior Member

    Joined:
    Apr 2, 2008
    Messages:
    877
    Likes Received:
    3,311
    Occupation:
    Chair moistener.
    Location:
    Cyberspace
  4. blommas

    blommas Senior Member

    Joined:
    Jun 14, 2014
    Messages:
    904
    Likes Received:
    152
    Location:
    Heaven
    The dude who made this, should show it to Facebook, and get money from them.. They give out money to people hacking their system, to make their system better.
     
  5. Nut-Nights

    Nut-Nights Jr. VIP Jr. VIP

    Joined:
    Jun 20, 2013
    Messages:
    5,286
    Likes Received:
    3,369
    Location:
    Hell
    Home Page:
    Fb will surely offer big $$$ to him.
     
  6. indianbill007

    indianbill007 Jr. VIP Jr. VIP

    Joined:
    Jan 8, 2010
    Messages:
    5,151
    Likes Received:
    4,140
    Occupation:
    Making Money when the world is sleeping
    Location:
    Menlo Park - Next to Zuck

    This is a known bug since 2014 and fb knows about it already and lots of blackhatters are using it to collect tokens.

    The problem is there is no way for fb to fix this cause if they remove this feature, all the sites which are using oauth token based logins will break.

    This is the reason fb tokens now expire after few weeks. But few weeks are enough for most blackhatters ;)
     
  7. DarkPixel

    DarkPixel Jr. VIP Jr. VIP

    Joined:
    Oct 4, 2011
    Messages:
    1,348
    Likes Received:
    1,252
    Location:
    ↓↓↓↓
    Home Page:
    From the OP (which you didn't read)

     
  8. abhi007

    abhi007 Jr. VIP Jr. VIP

    Joined:
    Aug 31, 2010
    Messages:
    5,794
    Likes Received:
    3,917
    Location:
    Theatre of dreams :)
    I think someone mentioned FB already knows abt. this right?????