Security expert Egor Homakov from Sakurity the Reconnect tool was released (Reconnection) that allows hackers to exploit a Facebook vulnerability to breach accounts on websites that use the "connect to Facebook" feature.
Homakov, working for the Sakurity pentesting company, reported a Facebook vulnerability a year ago, but the company did not update its code to protect a huge number of websites using the feature.
The Reconnect exploits cross-site flaws request forgery (CSRF) affecting Facebook Login, which allows users to connect to third-party websites through their Facebook accounts. Basically the vulnerability allows attackers to gain access to victims' accounts using Facebook apps developed by third-party websites such as Mashable, Vimeo, About.me, Stumbleupon and many others.
"The Reconnect is a ready-to-use tool to hack website accounts that use Facebook Login, for example Booking.com, Bit.ly, About.me, Stumbleupon, Angel.co, Mashable.com, Vimeo and many more,” Homakov wrote in a post on blog of his company.
Facebook, on the other hand, declined to accept the attack, blaming the developers who do not follow Facebook's best practices.
To put it another way, the social network did not fix the vulnerability because the researcher did not follow Facebook's procedure to the letter.
Until the company fixes the problem, websites that use Facebook Login can disable the service from their sites.