Security researcher Egor Homakov, owner of the security company Sakurity informed Facebook a year ago about a vulnerability, which could allow hackers to take over Facebook pages.
Facebook has refused to correct the grounds that the patch would have ended compatibility with a large number of sites using this service, so Homakov posted a tool on the site Reconnect, which exploits the vulnerability and helps hack the accounts according to Marc Sparks.
The flaw doesn’t work directly on the Facebook login page. The vulnerability is within third-party account connections, and it does make it easier for hackers to access the account via third-party websites, like Bit.ly, About.me, Stumbleupon, Angel.co, Mashable and Vimeo.
Facebook has tried to make the flaw more difficult to exploit for hackers, in a way that does not remove the feature, and they gave some advice to website developers.
“It’s a situation that we understand,” said the social network in a statement sent by email. “Web developers who use Facebook Login can avoid the problem by following our best practices and using the state parameter we provide for OAuth Login”.
Facebook also said that the social network had “made several changes to prevent Cross-site Request Forgery (CSRF) connections” and they were studying “alternatives that preserve the Facebook Login functionality implemented by a large number of sites.”