The Inquirer-Home

Facebook messenger bug is exposed

Attachment feature poses problems for pokers
Fri Oct 28 2011, 12:22

PEOPLE CATALOGUE Facebook has a bug in its messaging application that could expose its users to malicious software and attacks.

The bug was revealed by security researcher Nathan Power, a penetration tester at consultancy CDW who posted it on his blog, Securitypentest.com.

"When using the Facebook 'Messages' tab, there is a feature to attach a file. Using this feature normally, the site won't allow a user to attach an executable file," he wrote.

"A bug was discovered to subvert this security mechanisms. Note, you do NOT have to be friends with the user to send them a message with an attachment."

Facebook does have a system in place to block executable attachments, but with a little experimentation Power was able to subvert it.

"When attaching an executable file, Facebook will return an error message stating: 'Error Uploading: You cannot attach files of that type'," he explained.

"It was discovered the variable 'filename' was being parsed to determine if the file type is allowed or not. To subvert the security mechanisms to allow an .exe file type, we modified the POST request by appending a space to our filename variable like so: filename="cmd.exe "."

This was enough to trick the system and get the attachment, which remember, could come from an untrusted source or non-friend. Power added that it could potentially "allow an attacker to compromise a victim's computer system".

The vulnerability was disclosed to Facebook at the end of September, and acknowledged by it on 26 October. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Heartbleed bug discovered in OpenSSL

Have you reacted to Heartbleed?