Researcher sends executable over Facebook

Powered by SC Magazine
 

Trick the parser.

Researchers have discovered a way to evade Facebook security controls to deliver a message on the social networking site that contains an executable file.

Facebook normally strips out messages that contain executables from its private messaging feature. But a yet-to-be-fixed vulnerability, discovered by penetration tester Nathan Power, could enable someone to undermine these security controls by altering the 'POST' request, which is used to send data to a server.

The researchers captured the POST query that is sent when attempting to upload an attachment, and altered the coding.

"It was discovered the variable 'filename' was being parsed to determine if the file type is allowed or not," according to the vulnerability disclosure. "To subvert the security mechanisms to allow an .exe file type, we modified the POST request by appending a space to our filename variable."

Doing this allowed the researchers to "trick the parser" and attach an executable to the message.

A bug like this is dangerous because it could allow criminals to send messages that contain malware. Power reported the vulnerability to Facebook on 30 September and the company acknowledged its existence on Wednesday.

A Facebook spokesman said the exploit, as diagrammed by the researcher, would not impact a recipient.

"The attack...would only allow a user to send an obfuscated renamed file to another user, but this file would not execute on a recipients machine," the spokesman said, adding that Facebook also relies on anti-virus technology to weed out potentially malicious files.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Researcher sends executable over Facebook
 
 
 
Top Stories
Matching databases to Linux distros
Reviewed: OS-repository DBMSs, MariaDB vs MySQL.
 
Coalition's NBN cost-benefit study finds in favour of MTM
FTTP costs too much, would take too long.
 
Who'd have picked a BlackBerry for the Internet of Things?
[Blog] BlackBerry has a more secure future in the physical world.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  70%
 
Advanced persistent threats
  3%
 
Unpatched or unsupported software vulnerabilities
  12%
 
Denial of service attacks
  6%
 
Insider threats
  10%
TOTAL VOTES: 713

Vote