(LiveHacking.Com) – An executable file upload flaw found on Facebook, which allowed an attacker to upload and send an executable file to another Facebook user via the Facebook ‘Messages’ tab, has been fixed.
Nathan Power, a security penetration tester from Ohio, originallyposted details of the flaw a few days ago and initially Facebook seemed to play down the dangers of the flaw.
Facebook’s Security Manager Ryan McGeehan went on the record saying that “This finding will only allow one user to send an obfuscated renamed file to another Facebook user. The proof of concept, as is, would not execute on a recipients machine without an additional layer of social engineering.” He also underlined the contrived nature of the flaw saying “At the end of the day, it is more practical for a bad guy to hide an .exe on a convincing landing page behind a URL shortener, which is something we’ve been dealing with for a while.”
It seemed from Ryan’s response that Facebook didn’t see this as a high priorirty and it might only get fixed at some time in the future. However yesterday Nathan updated his blog to report that the flaw has been fixed:
11/01/2011 Vulnerability Fixed
This means that Facebook did take the flaw seriously. Several things can be understood from this:
- The flaw wasn’t that hard to fix.
- Facebook do actually take security seriously (if not privacy).
- There are probably other flaws which Facebook’s internal audits find and are fixed quietly without any notifications.
- Facebook doesn’t issue security advisories.