New Facebook Flaw lets Dispatch of Malicious .exe Files in E-Mail
Lately one security flaw was detected in Facebook Messenger that could get anybody to dispatch .exe files thereby letting cyber-crooks include malicious software into their e-mails, published softpedia on October 28, 2011.
Actually there's one feature in Facebook, which lets an end-user dispatch a message to a stranger along with an attachment. Although dispatching .exe files is prohibited on Facebook, one experimenter of penetration test discovered certain method for bypassing the filter.
First, Security Expert Nathan Power indicated how Facebook was featured to parse POST queries to web-servers partially, for observing whether the files getting dispatched could be permitted.
Thereafter, security investigators seized one such POST request being dispatched while trying to post a file attachment, as also changed the coding.
'CDW' the technology consultant's Nathan said that security researchers found parsing of the intermittently-changing file-title for finding out whether that file form was permitted or not. So, for undermining the security systems for letting an .exe kind of file, CDW's researchers altered the POST query via creating a gap in their file-title, he told SCMagazine dated October 29, 2011.
The security flaw is dangerous as with it, criminals can dispatch malware-laced e-mails. Power notified Facebook about the flaw on September 30, 2011 following which the social-networking firm admitted its existence.
Security Manager Ryan McGeehan at Facebook stated that the discovery would merely let an end-user dispatch a file, with a disguised name, to some other Facebook member. There'd be no scope for the POC (proof-of-concept) to run on a receiver's computer unless there was one extra social engineering layer. Other than that, Facebook wouldn't depend only on string mapping to work like a defense, as things like zip files could as well behave unpredictably, whilst dispatched like an attachment, McGeehan explained. Softpedia reported this.
Eventually, incase of an executable attachment, Facebook cautions, its dispatch will fail. However, if the POST query is modified with an additional gap in the file-title then that file can be dispatched with an .exe attachment.
This way the experimental trick worked on the parser while letting the.exe file of the security researchers be dispatched as an e-mail attachment.
Related article: New Zealand Releases Code To Reduce Spam
» SPAMfighter News - 04-11-2011