Facebook has fixed a vulnerability in its Android app could allow an attacker to cause a denial-of-service condition on a device or run up the victim’s mobile bill by transferring large amounts of data to and from the device.
The flaw lies in the way that the Facebook app handles HTTP requests. The app include an HTTP server that they use as part of the video playback process. The server will accept requests from any client, which leads to the vulnerability, discovered by researchers at a foundation in Argentina.
“The application embeds a generic HTTP server component that is used as a caching proxy for playing video recordings. This server is misconfigured and accepts requests from any client, local or remote, allowing attackers to connect to it and use a victim’s device as an open proxy. As a results, among other things, an attacker could carry out various forms of denial of service attacks such as filling up the device’s storage or running up the subscriber’s data transfer limit over 3G or LTE networks,” the advisory says.
“An attacker could use a victim’s mobile with the Facebook app installed as an open proxy by querying the embedded HTTP server for ‘/proxy’ and passing as a parameter a shortened URL that points to any arbitrarily selected target site. Since all redirects are followed, an attacker could use a shortened URL, obtained from a site like ‘goo.gl’, as the target site parameter so the proxy works on all sites. She can also cause the phone to run out of internal storage by simply querying ‘/cache-thru’ with a ”remote-uri” set to a site containing a large file. The same can be done for running up the subscriber’s data transfer limit over 3G, LTE networks.”
The update from Facebook also fixes a pair of other vulnerabilities in the Facebook app, one that could allow an attacker to intercept video content in some circumstances and another that could disclose audio recordings of chat messages. The latter vulnerability also affects Facebook Messenger for Android.
Facebook fixed the HTTP server vulnerability in version 220.127.116.11.14 and the other two flaws in version 10.0.0.28.27, and version 18.104.22.168.1 of Facebook Messenger.