You don’t get to be the biggest social network in the world without making a few smart moves. And one of the smartest moves Facebook made was making it easy to log in on other services and sites with your Facebook account. Successfully integrating the social network’s usernames and passwords as the simplest, most convenient ways to access other Web and mobile destinations makes having a Facebook profile seem like a necessity for digital living because it streamlines authentication processes for so many things. Commenting, new apps, invites, quizzes; almost any online onboarding process can be done via your Facebook account.
Facebook Connect (aka Facebook Login) opportunely positioned the company as a portal to the digital world. It was a savvy move, and a move that infuriates Internet users trying to de-tangle themselves from Facebook.
But for all the convenience of Facebook Connect, it appears the login process contains two troubling security breaches.
According to security researcher Egor Homakov, Facebook Connect has two problems. “Every website with ‘Connect Facebook account and log in with it is vulnerable to account hijacking,” he wrote on his blog. This is because, Homakov discovered, a hacker can use inline Javascript to automatically send credentials from a service someone uses to Facebook. The hacker could then get someone else to sign onto the wrong Facebook account unknowingly, in hopes that their victim would share information without realizing they were logged into the foreign account. This kind of attack is called a CSRF, or “cross-site request forgery.”
The second problem has to do with Facebook Connect redirecting users to other sites; Egor characterizes the problem as a security gap that could allow hackers to steal a username and password.
Homakov wrote Facebook about the breaches, but was frustrated by their response. “I contacted [Facebook] like 20 times,” he told Daily Dot in an email. Homakov eventually did receive a response, which he posted on his blog: “This is one of those areas that we’ve been aware of for awhile, but don’t really have a systemic solution,” a Facebook rep wrote, and then outlined why Homakov’s suggestion to fix one of the problems would not work for Facebook.
Daily Dot asked Homakov what the worst-case scenario would be if hackers did exploit these security holes. “Worst case is compromise of [the] login system on websites of clients, not on Facebook itself,” he wrote. “This is why they might ignore it—it doesn’t harm their business directly.” The first security flaw Homakov mentions only deals with data from the third-party sites.
Facebook has a different explanation—rather than not fixing it because it’s not important to the team, a spokesperson made clear that Facebook believes the current system is the most effective, flaws and all. “We go to great lengths to help developers write secure software. In this case, we’ve observed that the large majority of developers protect their users by correctly enforcing their own CSRF protection when linking accounts. After studying this issue carefully, we believe this is the most effective protection because the risk involves information contained on the third-party site, not from Facebook,” a representative told the Daily Dot in an email.
The Facebook spokesperson explained that the company hasn’t found a simple solution that it can implement, but noted that developers from each individual third-party site do have the power to plug these holes.
But having the power to plug holes and actually plugging them are two different things. And while holes like this exist and Facebook either unable or unwilling to find a truly secure solution with its third-party partners, it seems prudent to use Facebook Connect only with third-party websites known for having strong security.
Update: After hearing from a Facebok rep, we wanted to make a few things clear; the affected service is Facebook Login, not Facebook Connect (and if you’re all “what’s the difference?” allow us to refer you to this Quora post).
And we wanted to make it clear that the vulnerabilities talked about above are only valid if there are security issues with the third-party site using Facebook Login. The onus is on them, the developers of the outside site, though this still serves as a reminder that you should exercise caution when you use Facebook Login on a site that may have had major security issues.
H/T ZDNet | Photo via a.powers-fudyma/Flickr