It's accomplished through the use of a ready-to-use tool called Reconnect. The tool has been released to the wild and is therefore accessible by anyone. Essentially, Reconnect enables the user to log on to a website using stolen Facebook credentials.
"I tested this out and it looks legitimate. This is a phishers dream really, I am sure we will see a lot of Facebook accounts compromised by this. Hopefully, Facebook is working on a fix," said Ken Westin, senior security analyst at Tripwire.
Security researchers believe that most if not all websites that enable Facebook login are vulnerable to the exploit. The blackhat release site says Reconnect can be used to hijack accounts on websites such as Booking.com, Bit.ly, About.me, Stumbleupon, Angel.co, Mashable.com, Vimeo and many others.
"This is indeed a very big issue as many popular websites use Facebook's delegated identification, so a widespread exploit could wreak a lot of havoc," said Branden Spikes, CEO of Spikes Security.
"Giving Facebook a little benefit of the doubt here, this looks like an instance of an unfortunate practice where black hats or corrupt penetration testing firms discover big vulnerabilities like this, and rather than submitting them through the standard bug bounty channels (or on the terms of their professional contract with the victim) they choose to ransom them instead," he added.
Phishing: it's not just for email anymore. Until Facebook finds a fix, it may behoove companies to disable the login.
netizens left a footprint.