Friday, October 28, 2011

Facebook (Appears to Have) Fixed the EXE Vulnerability

Just yesterday, security researchers at Security Pentest pointed out a vulnerability in Facebook's Message center, allowing users (with some POST-data editing) to attach EXE files to a message and send them to anyone capable of receiving messages on Facebook (almost everyone, even non-friends). EXEs have been sent via email for ages, but Facebook users are notorious for clicking links and attachments on the site, so having the extra layer of security to block EXEs is important. The full vulnerability post can be read here:

I decided to try out the vulnerability to see if it had been fixed (it's been about 24 hours since the issue was made public, but over a month since Facebook was notified). From what I've been able to tell, Facebook has now fixed the vulnerability.

Using Tamper Data (an add-on for Firefox), the POST data could be edited when submitting a file as an upload to a message. The string <filename="filename.exe"> could be changed to <filename="filename.exe "> (angle brackets added for readability). Notice the space after the file name. Apparently, Facebook was not trimming this data and the additional space was enough to allow an exe file to slip through.

However, now the vulnerability appears to have been fixed. Attempting the same exploit results in an error message: "Unfortunately, your attachment could not be uploaded at this time. Please try again later."

TamperData - Changing the file name in the POST header
Facebook Messaging Error

No comments:

Post a Comment