June 14, 2021

Does Facebook Have a .EXE Upload Vulnerability?

(LiveHacking.Com) – Nathan Power, a security penetration tester from Ohio, has posted details of a flaw in Facebook which allows an attacker to upload and send a executable file to another Facebook user via the Facebook ‘Messages’ tab.

Normally Facebook doesn’t allow users to upload and send executables in an attempt to limit the spread of malware via its service.

Nathan analysed the way the messaging service works and discovered that Facebook rely on a parameter (called filename) included in the POST message to detect executable files. To subvert the security mechanisms to allow an .exe file type, Nathan modified the POST request by appending a space to the filename variable like so: filename=”cmd.exe ”

The result was that the file was uploaded and sent to the other Facebook user. Of course further work is needed by the attacker to convince the user to run the executable. If the user is unaware that running unknown executables on their computer is dangerous then there are other simpler methods (like plain old simple email) which could be used rather than tweaking Facebook.

ZDNET have a response from Facebook’s Security Manager Ryan McGeehan:

This finding will only allow one user to send an obfuscated renamed file to another Facebook user. The proof of concept, as is, would not execute on a recipients machine without an additional layer of social engineering.Beyond that, we are not going to rely solely on string matching as a protective measure, since zip files and other things could also have unpredictable behaviors when sent as an attachment.

We are AV scanning everything that comes through as a secondary measure, so we have defense in depth for this sort of vector. This puts us at a similar level of protection as most webmail providers who deal with the similar risk, and this finding is a very small part of how we protect against this threat overall.At the end of the day, it is more practical for a bad guy to hide an .exe on a convincing landing page behind a URL shortener, which is something we’ve been dealing with for a while.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks