A security researcher has discovered a vulnerability in Facebook’s messaging system that could allow an attacker to send executable attachments to anyone on the popular social network. The vulnerability is such that an attacker doesn’t necessarily need to be friends with the person to whom he sends the message.
Facebook’s operators, to their credit, thought this sort of attack through. By design, users aren’t supposed to be able send executable file attachments via Facebook messaging (trying to do so results in an error message).
However, Nathan Power at SecurityPentest.com captured the browser POST request being sent to Facebook’s web servers when he attempted to send an executable attachment. He found that only the ‘filename’ was being parsed to determine which file types were allowed or not allowed.
So, he made a slight modification to the filename. Adding a space to “cmd.exe” so it appeared as “cmd.exe “ was enough to subvert Facebook’s security mechanism.
Power reported the vulnerability to Facebook on Sept. 30. Facebook acknowledged the flaw on Oct. 26, and Power publicly disclosed it on Oct. 27.
It is important to note that you do not have to be friends with someone on Facebook in order to send that person a message.
For more of Threatpost’s Facebook security coverage, follow the link.