Security researcher finds major security flaw in Facebook

Security researcher finds major security flaw in Facebook

Summary: A security researcher has discovered a major security hole affecting the most popular social networking site, Facebook.

SHARE:

A security researcher has discovered a major security hole affecting the most popular social networking site, Facebook.

Basically, the researcher found a way to upload executable files -- such as those most commonly used by malicious software -- on the social network site for potential sharing. Needless to say that the potential for abuse by malicious attackers is pretty evident.

More details:

When using the Facebook 'Messages' tab, there is a feature to attach a file. Using this feature normally, the site won't allow a user to attach an executable file. A bug was discovered to subvert this security mechanisms. Note, you do NOT have to be friends with the user to send them a message with an attachment.

Is the ultimate distribution of executable files the cornerstone for distributing malware across the social networking sites? Not at all. Cybercriminals often rely on innocent-looking links that redirect to client-side exploits serving domains for achieving their objectives.

The researcher notified Facebook on 09/30/2011 and received a confirmation of his findings on 10/26/2011.

UPDATED: Facebook's Security Manager Ryan McGeehan had this to say:

This finding will only allow one user to send an obfuscated renamed file to another Facebook user. The proof of concept, as is, would not execute on a recipients machine without an additional layer of social engineering.Beyond that, we are not going to rely solely on string matching as a protective measure, since zip files and other things could also have unpredictable behaviors when sent as an attachment.

We are AV scanning everything that comes through as a secondary measure, so we have defense in depth for this sort of vector. This puts us at a similar level of protection as most webmail providers who deal with the similar risk, and this finding is a very small part of how we protect against this threat overall.At the end of the day, it is more practical for a bad guy to hide an .exe on a convincing landing page behind a URL shortener, which is something we’ve been dealing with for a while.

Topics: Collaboration, Networking, Social Enterprise

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

27 comments
Log in or register to join the discussion
  • RE: Security researcher finds major security flaw in Facebook

    That's just great. Bad enough as it is-- getting dozens of notes from strangers, strangers being sent messages from me as though I wanted to 'friend' them. And, if you decide to shut Facebook down, too bad: all your stuff is scattered around out there.
    scald321
    • RE: Security researcher finds major security flaw in Facebook

      @scald321 Two things to make life better; Legalize pot & ban facsbook! Irony...pot is illegal but facebook should be.
      phoenix144
      • RE: Security researcher finds major security flaw in Facebook

        @phoenix144
        Some jerk flagged you but I agree with your statement.
        MoeFugger
      • RE: Security researcher finds major security flaw in Facebook

        @phoenix144 Moron
        SuperComputerGuru
      • RE: Security researcher finds major security flaw in Facebook

        @phoenix144

        Illegal? Come on now. If you don't like the goddamned thing, JUST DON'T USE IT!

        Seriously, I have a Facebook account but I have put the absolute minimum of personal information on it and use it for a bare minimum of websites that it is the only thing you can log into their commenting systems with.
        Lerianis10
  • RE: Security researcher finds major security flaw in Facebook

    It bothers me when facebook says this might be a friend when we have never communicated on facebook and have no mutual friends on facebook,

    but it's right, i'd like to know how...
    redking44
    • RE: Security researcher finds major security flaw in Facebook

      @redking44

      Data mining from Google. Most high schools have their 'old student records' (at least who went to the schools and where they lived) online so when Google parses their websites, they get the information then Facebook mines that information.
      Lerianis10
  • RE: Security researcher finds major security flaw in Facebook

    http://snipr???com/2b3pzz
    fashionean
  • I Just Discovered a Major security Flaw in FaceBook!

    It's FaceBook.

    Why are we still surprised to find security flaws in a platform whose Terms of Use states that you have no right to expect any level of data security?

    mnem
    Facebook: The new definition of the term "Viral".
    mnemennth
  • RE: Security researcher finds major security flaw in Facebook

    Very intersting; and Facebook appear to have this covered, but was it absolutely necessary to publish how this was done. Brainless.
    Sandi120
    • Agreed.....

      @Sandi120

      Just a like the "Wet Paint" sign on a painted object...everyone just has to touch it to see if it is really wet! Now there will be many fools who will try this "trick" to see if it really works.
      linux for me
    • RE: Security researcher finds major security flaw in Facebook

      @Sandi120

      Obscurity does not equal security. It appears that suitable notice and time was given to Facebook to address this issue before publication. If alert users know about this security issue, they will be more aware of potential social engineering exploits targeting it. Therefore, yes, it IS absolutely necessary to publish how this is done. Only the ignorant will object.
      Dave S2
  • amongst all the other major security flaws

    floored!
    Mahegan
  • RE: Security researcher finds major security flaw in Facebook

    If this is the case then why is ZDNet on Facebook. I'm about to leave it and go else where.

    How about doing research and tell us which ones would be better then Facebook so we can make a choice based on the social networks concern for security, and ease of use?
    navymanmi
  • The lives of helpless-2

    Different locations doing different things, different times a different mood.ssss2
    Otakussss
  • The lives of helpless0

    Different locations doing different things, different times a different mood.0
    Otakussss
  • The lives of helpless0

    Different locations doing different things, different times a different mood.0
    Otakussss
  • RE: Security researcher finds major security flaw in Facebook

    I do not even use Facebook and still get email from them almost every day about someone wanting to be my friend or flirt with me.
    rdw551
  • RE: Security researcher finds major security flaw in Facebook

    Well, this is only insult to injury.

    Let's not pretend this is some eureka moment.

    Not to sound all "skynet is the virus"... but isn't the goal of spyware to share your information, activity, etc, with someone of whom you don't want it shared it?

    ...isn't that exactly how Facebook makes their money? Instead of one person's server who wrote the spyware, your info, activity, whatever is being sent to the 8 of the top 10 bidders.
    UrNotPayingAttention
  • RE: Security researcher finds major security flaw in Facebook

    Rather than tampering the POST request, wouldn't it be more easy to just rename the file to append the trailing space? LOL
    diegocr