This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Researcher finds way to send executable file on Facebook

Share this article:

Researchers have discovered a way to evade Facebook security controls to deliver a message on the social networking site that contains an executable file.

Facebook normally strips out messages that contain executables from itsprivate messaging feature. But a yet-to-be-fixed vulnerability, discovered by penetration tester Nathan Power, could enable someone to undermine these security controls by altering the 'POST' request, which is used to send data to a server.

The researchers captured the POST query that is sent when attempting to upload an attachment, and altered the coding.

"It was discovered the variable 'filename' was being parsed to determine if the file type is allowed or not," according to the vulnerability disclosure. "To subvert the security mechanisms to allow an .exe file type, we modified the POST request by appending a space to our filename variable."

Doing this allowed the researchers to "trick the parser" and attach an executable to the message.

A bug like this is dangerous because it could allow criminals to send messages that contain malware. Power reported the vulnerability to Facebook on Sept. 30, and the company acknowledged its existence on Wednesday.

A Facebook spokesman, in an email to SCMagazineUS.com, said the exploit, as diagrammed by the researcher, would not impact a recipient.

"The attack...would only allow a user to send an obfuscated renamed file to another user, but this file would not execute on a recipients machine," the spokesman said, adding that Facebook also relies on anti-virus technology to weed out potentially malicious files.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Gameover Trojan 'surges' after police takedown

Gameover Trojan 'surges' after police takedown

What constitutes winning in the fight against malware, and what's the value of a takedown ask commentators in the wake of Gameover Zeus' bounceback.

Privacy fears as US court rules against Microsoft

Privacy fears as US court rules against Microsoft ...

A New York court has told Microsoft it must hand over customer data to the US Government even though it's held overseas - reigniting a privacy debate that has also ...

Researcher develops BadUSB code to compromise USB sticks - and their computer hosts

Researcher develops BadUSB code to compromise USB sticks ...

Karsten Nohl also reveals how an enhanced security approach can beat his USB architecture compromise.