Reconnect - Facebook Login Vulnerability

It's very simple - if we can upgrade the user to our Facebook, then we can connect our Facebook to the victim's account on other websites. The victim loads our page and we get access to the victim's account on Booking.com, Bit.ly, About.me, Stumbleupon, Angel.co, Mashable.com, Vimeo and a bunch of other websites.

Step 1. Downloading this URL www.facebook.com/n/?mid=9dd1fd7G5af48de9ca58G0G86G119bb48c logs off any FB user

Step 2. To login the victim under our Facebook account requires Origin = *. Facebook.com when requesting login.php. Origin is transmitted by the browser itself and contains the domain of the page from where the request was made. In other words, we need to find a way to make a POST request from Facebook itself. For Firefox, this is not necessary - it does not send Origin at all for ordinary form-based requests. Therefore, further hack specifically for Chrome.
')
Create a Canvas application with these settings:



When a victim hits apps.facebook.com/482922061740192 Facebook sends a POST request to this URL (should not be on facebook.com). We, in turn, use a 307 redirect (saves HTTP verb as opposed to 302) and this leads to a POST request on www.facebook.com/login.php?email=attacker@email.com&pass=password with Origin: apps.facebook. com and our login / password. Now the victim is logged into our Facebook account.

Step 3. It remains to start the connection process. Usual

<img src="http://victim.com/auth/facebook"> 

will work.

Now that our facebook is connected to the victim’s account, we can directly log in to the victim’s account, cancel the booking on booking.com or read private messages, or change the password.

This simple bug uses three CSRFs at the same time - on logout, login and on joining a social account. The first two should fix facebook (but they refused, this is WontFix), the last is the task of the developer himself.

Reconnect is a tool for hijacking accounts , you can copy the code and break anyone - I do not mind. Booking.com, Bit.ly, About.me, Stumbleupon, Angel.co, Mashable.com, Vimeo are used as an example, but any other website with Facebook Connect may be vulnerable. For example, all Rails sites using omniauth-facebook are vulnerable.