UPDATE–A security researcher has identified a pair of security issues in Facebook, one of which can be used to to upload an arbitrary file to the site, and the other of which can allow an attacker to gain control of a victim’s machine under some limited circumstances with user interaction.

The more serious of the vulnerabilities, which were identified by researcher David Sopas of WebSegura, is a reflected file download flaw that an attacker can use to plant a malicious file on a victim’s machine that looks like it is coming from a trusted Facebook domain. Sopas said he found two separate RFD issues on Facebook, both of which are still open right now. An attacker would need quite a bit of help from the user in order to execute an attack, though.

“The first one was present on Graph Facebook API and could be replicated under Internet Explorer 9 just by sending a link,” Sopas said in an advisory.

The attack also works on the current versions of Chrome and Opera, he said.

“To the user the entire process looks like a file is offered for download by Facebook trusted domain and it would not raise any suspicious. A malicious user could gain total control over a victims computer and launch multiple attacks.”

In an email, Sopas said that Facebook’s security team replied to his advisory on Wednesday, saying that they will be back in touch with him soon about the report.

“They didn’t said directly that they’re not going to fix them. Facebook security team told me that they couldn’t control all the ways browsers may allow content downloads or the different app formats that a computer may allow. Just as we speak, I just received the following Facebook message thanking me for reporting this security issues to them and that they’ll contact me again for further bugs or updates. So it seems it will be fixed someday,” Sopas said by email.

RFD attacks are relatively new, and were detailed by Oren Hafif, a researcher at Trustwave’s Spider Labs last year.

“As long as RFD is out there, users should be extremely careful when downloading and executing files from the web. The download link might look perfecty fine and include a popular, trusted domain and use a secure connection, but users still need to be wary,” Hafif wrote in a post explaining the technique.

A Facebook spokesman said that the report from Sopas didn’t meet the company’s criteria for earning a bug bounty.

“Our bug bounty program excludes reports that have no practical security implications, as well as social engineering techniques that require significant interaction from the victim because technical changes are usually not the best way to address these threats,” the spokesman said.

The other issue that Sopas discovered allows an attacker to upload an arbitrary file to Facebook by using a special tool on the site.

“The first security issue I found was that it’s possible to upload a file with any kind of extension to Facebook server via Ads/Tools/Text_Overlay tool. This online tool checks the upload image for too many text on a image to user on their ads,” Sopas said in his advisory. “

“A user can upload executable files or just use Facebook servers as file repository. In my proof-of-concept I uploaded a batch file without any restriction and I can access to it anytime anywhere as long as I’m logged in on my account.”

Sopas said that users need to be careful to inspect the links they’re clicking on, even ones that are from trusted domains.

“Users must be aware of this type of vulnerability and be careful where links come from. Even if they come from a trusted source it might be an attack. Check the link structure. I believe it’s a matter of time for Facebook to fix this,” he said.

This story was updated on March 11 to add the comment from Facebook.

Categories: Vulnerabilities, Web Security

Comment (1)

  1. Ricardo Iramar Santos
    1

    Last year I found the same problem on AOL Search website. I tried to contact them thousands times but no lucky. I didn’t ask for money and they don’t have any bounty bug program.
    So like you I decided to disclosure in some mail lists and after some days they fixed the problem.

    http://seclists.org/fulldisclosure/2015/Mar/6

Comments are closed.