Security researcher finds major security flaw in Facebook

[Jack]

A security researcher has discovered a major security hole affecting the most popular social networking site, Facebook.

Basically, the researcher found a way to upload executable files — such as those most commonly used by malicious software — on the social network site for potential sharing. Needless to say that the potential for abuse by malicious attackers is pretty evident.

More details:

When using the Facebook ‘Messages’ tab, there is a feature to attach a file. Using this feature normally, the site won’t allow a user to attach an executable file. A bug was discovered to subvert this security mechanisms. Note, you do NOT have to be friends with the user to send them a message with an attachment.

Is the ultimate distribution of executable files the cornerstone for distributing malware across the social networking sites? Not at all. Cybercriminals often rely on innocent-looking links that redirect to client-side exploits serving domains for achieving their objectives.

The researcher notified Facebook on 09/30/2011 and received a confirmation of his findings on 10/26/2011.

Facebook’s Security Manager Ryan McGeehan had this to say:

This finding will only allow one user to send an obfuscated renamed file to another Facebook user. The proof of concept, as is, would not execute on a recipients machine without an additional layer of social engineering.Beyond that, we are not going to rely solely on string matching as a protective measure, since zip files and other things could also have unpredictable behaviors when sent as an attachment.

We are AV scanning everything that comes through as a secondary measure, so we have defense in depth for this sort of vector. This puts us at a similar level of protection as most webmail providers who deal with the similar risk, and this finding is a very small part of how we protect against this threat overall.At the end of the day, it is more practical for a bad guy to hide an .exe on a convincing landing page behind a URL shortener, which is something we’ve been dealing with for a while.

via ZDnet

 

[Nathan Wootton]

Oh Dear, Facebook seems to be going downhill, in my eyes.

To many changes! what was wrong with the old layout ect.

too many new things wich there rushing out making flaws. tut tut

 

[imsoadude]

Yea many security issues with facebook, they should have their sign up as "It's free and always will be. but beware" lol

 

[Luke[Dumke480]]

Atleast they aren't selling our Private information..

hahahah.

 

[Jack]

At the end of the day, it is more practical for a bad guy to hide an .exe on a convincing landing page behind a URL shortener, which is something we’ve been dealing with for a while.

Have to agree with him .... this is not a very practical way to infect the final user as at it requires a high level of social engineering, something like "I have sent you some hot pictures in this private message!Open them and see me..." could this would me infecting the users one by one and I'm sure that at some point someone would report the sender to Facebook.
Overall WOW....how could Facebook miss this.... .exe in attachments is big NO NO.but the good part is that this should be very easy to fix.

 

[illumination]

Researcher finds way to send executable file on Facebook

Researchers have discovered a way to evade Facebook security controls to deliver a message that could come outfitted with a malicious attachment.
Read More

 

[Deleted member 178]

RE: Researcher finds way to send executable file on Facebook

that will be funny if it is spreading

 

[imsoadude]

RE: Researcher finds way to send executable file on Facebook

Well im definitely not opening any exe's from facebook emails ever lol

 

[AyeAyeCaptain]

This is the result of frequent and rushed updates pushed onto users without them even wanting it... in turn security gets overlooked. Don't matter how simple something is, when an exploit is made, too many gullable, oblivous users just click click click away. And in turn it just spreads like wild fire!

 

[moonshine]

Facebook users, Especially users that doesn't have any knowledge when it comes to security (Click Happy People) needs to be educated and be very careful at the same time. A good security setup will help them too in keeping away from this malicious executables.

 

[AyeAyeCaptain]

I think Facebook should do more in their effort against such things, and also educate novice users about the dangers so they can learn to read the signs and engage the brain a little more before clicking away on anything. But of course they won't as they don't have much regard for the end user anyway, change what they want when they want, track who they want and where they want even if you have never visited the official site before??!!