Last week, a security firm researcher released a free tool that allows hackers to access accounts on sites that use Facebook Login. The researcher, Egor Homakov, first wrote about the flaw he’d found in the login in January 2014. However, Facebook said they would not fix the issue because it would have disrupted the login feature’s compatibility with many websites. Now Homakov has taken it upon himself to teach Facebook a lesson and release a tool called Reconnect that takes advantage of the loophole.
“Facebook refused to fix this issue one year ago, unfortunately it’s time to take it to the next level and give blackhats this simple tool,” he wrote in a blog post.
Reconnect works by generating malicious URLs that, when clicked, log users out of their own Facebook accounts and into accounts set up by hackers. That then gives the attackers control over the victim’s account. The tool can generate fake links for sites including Mashable, Vimeo, Bit.ly, Stumbleupon and more. For its part, Facebook has said that it is aware of the flaws Homakov is taking advantage of, and if sites that use the Login feature take the proper steps to protect themselves they should not have any issues.
Readers: what do you think of Homakov giving this tool away to hackers who could take advantage of everyday Facebook users? Do you think that’s the right way to get Facebook’s attention?