-- Update 11/1/11 --It has been reported that Facebook has fixed this vulnerability.
-- End Update --
Nathan Power of SecurityPentest has discovered a way to bypass Facebook’s security check that prevents users from attaching executable files (exe) to Facebook messages.
Typically when you attempt to upload an exe file to a Facebook message, you will be greeted with an error saying, “Error Uploading: You cannot attach files of that type.”
However, after capturing the web browsers POST request being sent to the server, Nathan found that you could bypass the security mechanisms in place simply by adding a space at the end of the filename.
Original:
filename=”cmd.exe”
Updated:
filename=”cmd.exe “
Obviously this vulnerability is bad news since it will allow ill-willed Facebook users to send malicious files – such as malware, spyware, or even viruses – to unsuspecting Facebook users.
What makes matters worse is that you don’t have to be friends with a Facebook user in order to send them a message. That is, of course, unless that user has beefed up their Facebook account security to keep users not on their friends list from sending them messages.
On the plus side, an exe file attached to a Facebook message will not execute UNLESS the recipient decides to download the file. So, if someone sends you a message with an exe file attached, be sure that you don’t open it. ;)
This vulnerability was reported to Facebook at the end of September and they acknowledged its existence on Wednesday. Facebook’s Security Manager Ryan McGeehan issued the following statement in response:
This finding will only allow one user to send an obfuscated renamed file to another Facebook user. The proof of concept, as is, would not execute on a recipients machine without an additional layer of social engineering. Beyond that, we are not going to rely solely on string matching as a protective measure, since zip files and other things could also have unpredictable behaviors when sent as an attachment.
We are AV scanning everything that comes through as a secondary measure, so we have defense in depth for this sort of vector. This puts us at a similar level of protection as most webmail providers who deal with the similar risk, and this finding is a very small part of how we protect against this threat overall. At the end of the day, it is more practical for a bad guy to hide an .exe on a convincing landing page behind a URL shortener, which is something we’ve been dealing with for a while.
So there you have it, folks. Should someone decide to send you a malicious exe file via Facebook message, they can do so with relatively little effort.
It’s highly recommended that you update your Facebook security settings to prevent any unfriendlies from sending you dangerous files. You’ll find instructions on how to update these settings here.
Also feel free to check out Nathan Powers' post outlining his discovery of the Facebook message EXE vulnerability.
Be sure to follow us on Twitter at @hyphenet or “Like” us on Facebook to stay up-to-date on the latest computer security threats.
Photo Credit: Nathan Power
No comments:
Post a Comment