General Discussion
Related: Editorials & Other Articles, Issue Forums, Alliance Forums, Region ForumsHackers Can Now Use One Free Tool To Hijack Your Facebook-Linked Login For Pretty Much Any Site
Consumerist
Hackers Can Now Use One Free Tool To Hijack Your Facebook-Linked Login For Pretty Much Any Site
Modern life means logging in to about a zillion different websites and apps every week, with about a zillion different accounts. But there are ways to streamline it all for example, logging in to everything with your Facebook account, as millions do. Thats much more convenient not only for you, but for hackers who have a new way to target you: a free, easy-to-download tool that exploits a bug in those logins to let them hijack your account. Oops.
The researcher who discovered the bug and designed the tool set it loose in the wild last week, Vices Motherboard site reports, after claiming Facebook ignored his reports of the problem.
The tool basically works by allowing an attacker to worm their way into a users cookies for a specific website and then access their account on that site.
A representative for Facebook told Motherboard that the issue was indeed well-understood from last year, and that changes had been made in the past that should help prevent cross-site request forgery. However, Motherboard with the aid of an outside security expert tested the tool themselves on two different sites, with mixed results. In two instances it didnt work; in a third, it did. As they explain:
To take over my account, Homakov [the researcher who wrote the tool] simply created a custom URL using the tool he created. He then he sent that link to me. I clicked on it, then clicked on Start RECONNECT on a page built by Homakov, and voila, my fake Mashable account was now linked to his Facebook account, giving him complete access to it. (The attack only works if the victim is logged into his or her Facebook account when clicking on the link, but thats common for many people, who leave Facebook logged in at all times.)
The security expert Motherboard spoke with confirmed that the flaw is a serious issue, but there is good news: this vulnerability doesnt just strike out of nowhere. In order to have their logins hijacked, users first need to have clicked on a malicious link, as in a phishing e-mail.
And so although this is a newly-reported vulnerability, age-old internet advice from twenty years ago still applies: be careful what you click. If it looks suspicious, assume it is.
http://consumerist.com/2015/03/10/hackers-can-now-use-one-free-tool-to-hijack-your-facebook-linked-login-for-pretty-much-any-site/
hobbit709
(41,694 posts)And I don't link anything to Facebook.
many fools have faith in the system though. and in many ways...
arcane1
(38,613 posts)Angleae
(4,487 posts)Never had a FB account, never wanted one.