Reconnect - Facebook Login Vulnerability


    Everything is very simple - if we can log in to our Facebook, then we can connect our Facebook to the victim’s account on other websites. The victim downloads our page and we gain access to the victim’s account on,,, Stumbleupon,,, Vimeo and a bunch of other websites.

    Step 1. Downloading this URL logs out any FB user

    Step 2. To log in a victim under our Facebook account requires Origin = *. when requesting login.php. Origin is transmitted by the browser itself and contains the domain of the page from where the request was made. In other words, we need to find a way to make a POST request from Facebook itself. This is not necessary for Firefox - it does not send Origin at all for regular form-based requests. Therefore, further hack specifically for Chrome.

    Let's create a Canvas application with the following settings:


    When the victim lands on, Facebook sends a POST request to this URL (it should not be on We, in turn, use a 307 redirect (saves HTTP verb as opposed to 302) and this leads to a POST request at with Origin: and our username / password. Now the victim is logged into our Facebook account.

    Step 3. It remains to start the connection process. Normal
    will work.

    Now that our facebook is connected to the victim’s account, we can directly log into the victim’s account, cancel reservations on or read private messages, or change the password.

    This simple bug uses three CSRFs at the same time - on logout, login and on joining a social account. The first two should fix Facebook (but they refused, this is WontFix), the last is the task of the developer.

    Reconnect is a tool for hijacking accounts , you can copy the code and break anyone - I do not mind. Examples include,,, Stumbleupon,,, Vimeo, but any other Facebook Connect website may be vulnerable. For example, all Rails sites using omniauth-facebook are vulnerable.

    Also popular now: