Facebook Flaw Front and Center

Monday, October 31, 2011 @ 06:10 PM gHale

As manufacturers use Facebook more and more as a marketing tool among other things, security issues are coming more to the forefront as a security penetration tester discovered a major flaw in Facebook that could allow a person to send anyone on the social-networking site malicious applications.

Nathan Power, a senior security penetration tester at technology consultancy CDW, discovered the vulnerability. Facebook acknowledged the issue.

Attack Prevention: Better ‘Cyber Hygiene’
Companies Embrace, Fear Social Media
Cyber Threats Forecast for 2012
CFATS Reaches Stage Three

Power wrote Facebook does not normally allow a person to send an executable attachment using the “Message” tab. If you try to do that, it returns the message “Error Uploading: You cannot attach files of that type.”

Power wrote an analysis of the browser’s “POST” request sent to Facebook’s servers showed a variable called “filename” parses to see if it should allow a file. But by simply modifying the POST request with a space just after the file name, an executable could attach to the message.

“This was enough to trick the parser and allow our executable file to be attached and sent in a message,” Power said.

A person would not have to be an approved friend of the sender, as Facebook allows people to send messages to those who are not their friends. The danger is that a hacker could use social engineering techniques to coax someone to launch the attachment, which could potentially infect their computer with malicious software.

Leave a Reply

You must be logged in to post a comment.