You might want to think twice before using that handy "Sign in using Facebook" buttons on popular websites across the Web. That's because a researcher has discovered a bug that lets hackers take over your accounts using the Facebook login feature.
The bug doesn't give hackers access to your actual Facebook account, but it does let them access your account on third-party sites like Mashable, Booking.com, Vimeo and possibly more. The tool that exploits the bug is called RECONNECT and was created by a researcher named Egor Homakov. He released the tool publicly recently after saying he warned Facebook and the company ignored him.
“Go blackhats, don’t be shy!” he wrote on Twitter, apparently encouraging malicious hackers (blackhats) to take advantage of the tool. On Monday, however, Homakov told Motherboard that he created the tool because he had some “spare time” and the information “is public anyway.”
RECONNECT works by tricking a Facebook user into clicking on a malicious link then gives the hacker access to the victim's Facebook-connected account.
(The attack only works if the victim is logged into his or her Facebook account when clicking on the link, but that’s common for many people, who leave Facebook logged in at all times)