Security researcher finds major security flaw in Facebook

Status
Not open for further replies.

Jack

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 24, 2011
9,378
ZDnet said:
A security researcher has discovered a major security hole affecting the most popular social networking site, Facebook.

hot_stuff.png


Basically, the researcher found a way to upload executable files — such as those most commonly used by malicious software — on the social network site for potential sharing. Needless to say that the potential for abuse by malicious attackers is pretty evident.

More details:

When using the Facebook ‘Messages’ tab, there is a feature to attach a file. Using this feature normally, the site won’t allow a user to attach an executable file. A bug was discovered to subvert this security mechanisms. Note, you do NOT have to be friends with the user to send them a message with an attachment.

Is the ultimate distribution of executable files the cornerstone for distributing malware across the social networking sites? Not at all. Cybercriminals often rely on innocent-looking links that redirect to client-side exploits serving domains for achieving their objectives.


The researcher notified Facebook on 09/30/2011 and received a confirmation of his findings on 10/26/2011.

Facebook’s Security Manager Ryan McGeehan had this to say:

This finding will only allow one user to send an obfuscated renamed file to another Facebook user. The proof of concept, as is, would not execute on a recipients machine without an additional layer of social engineering.Beyond that, we are not going to rely solely on string matching as a protective measure, since zip files and other things could also have unpredictable behaviors when sent as an attachment.

We are AV scanning everything that comes through as a secondary measure, so we have defense in depth for this sort of vector. This puts us at a similar level of protection as most webmail providers who deal with the similar risk, and this finding is a very small part of how we protect against this threat overall.At the end of the day, it is more practical for a bad guy to hide an .exe on a convincing landing page behind a URL shortener, which is something we’ve been dealing with for a while.


via ZDnet
 

Nathan Wootton

Level 1
May 25, 2011
313
Oh Dear, Facebook seems to be going downhill, in my eyes.

To many changes! what was wrong with the old layout ect.

too many new things wich there rushing out making flaws. tut tut
 

imsoadude

Level 3
Verified
Feb 21, 2011
838
Yea many security issues with facebook, they should have their sign up as "It's free and always will be. but beware" lol
 

Jack

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 24, 2011
9,378
Facebook’s Security Manager Ryan McGeehan said:
At the end of the day, it is more practical for a bad guy to hide an .exe on a convincing landing page behind a URL shortener, which is something we’ve been dealing with for a while.
Have to agree with him .... this is not a very practical way to infect the final user as at it requires a high level of social engineering, something like "I have sent you some hot pictures in this private message!Open them and see me..." could this would me infecting the users one by one and I'm sure that at some point someone would report the sender to Facebook.
Overall WOW....how could Facebook miss this.... .exe in attachments is big NO NO.but the good part is that this should be very easy to fix.
 
I

illumination

Researcher finds way to send executable file on Facebook

Researchers have discovered a way to evade Facebook security controls to deliver a message that could come outfitted with a malicious attachment.
Read More
 
D

Deleted member 178

RE: Researcher finds way to send executable file on Facebook

that will be funny if it is spreading
 

imsoadude

Level 3
Verified
Feb 21, 2011
838
RE: Researcher finds way to send executable file on Facebook

Well im definitely not opening any exe's from facebook emails ever lol
 

AyeAyeCaptain

Level 1
Feb 24, 2011
585
This is the result of frequent and rushed updates pushed onto users without them even wanting it... in turn security gets overlooked. Don't matter how simple something is, when an exploit is made, too many gullable, oblivous users just click click click away. And in turn it just spreads like wild fire!
 

moonshine

Level 7
Verified
Apr 19, 2011
1,264
Facebook users, Especially users that doesn't have any knowledge when it comes to security (Click Happy People) needs to be educated and be very careful at the same time. A good security setup will help them too in keeping away from this malicious executables.
 

AyeAyeCaptain

Level 1
Feb 24, 2011
585
I think Facebook should do more in their effort against such things, and also educate novice users about the dangers so they can learn to read the signs and engage the brain a little more before clicking away on anything. But of course they won't as they don't have much regard for the end user anyway, change what they want when they want, track who they want and where they want even if you have never visited the official site before??!! :p
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top