Facebook .exe Attachment Vulnerability Found

Uploading .exe files is generally not allowed on most online services like Gmail and Facebook. However, a vulnerability found in Facebook lets you attach .exe files and send them across to your friends and other people.

The bug was first identified by Nathan Power, a senior security penetration tester at technology consultancy CDW, which he posted about the issue in a blog post.Facebook Security

Mark Zuckerberg announced Facebook Messages last year in November, which enabled every user to create a @facebook.com email address. This also allowed users to upload attachments like images and document files, but did not allow users to attach .exe files. Whenever a user tried to attach an .exe file, Facebook throws the following error message – “You cannot attach files of that type”.

Nathan Power found an alternative way to attach .exe files and surprisingly it worked. When uploading the file to Facebook, he captured the web browser’s POST request, which is as follows –

Content-Disposition: form-data; name="attachment"; filename="cmd.exe"

It was identified that the variable “filename” was being parsed to determine whether the type of file is allowed to be uploaded or not. Power modified the POST request by appending a blank space after the .exe in order to subvert the security mechanism to allow an .exe file type.

The modified line looked like this –

Content-Disposition: form-data; name="attachment"; filename="cmd.exe "

That way, the Facebook messaging system allowed the user to upload a file with .exe extension, thus causing a huge vulnerability in the messaging system. This could be misused by hackers/spammers to send malicious files to any user on Facebook.

Attach .exe Files in Facebook

However, Facebook’s Security Manager Ryan McGeehan stated that in order to execute the file on the receiver’s computer it would require “an additional layer of social engineering.” He also said that webmail providers face the same problem with malicious attachments and that “this finding is a very small part of how we protect against this threat overall.”

Here’s what Ryan McGeeham had to say –

This finding will only allow one user to send an obfuscated renamed file to another Facebook user. The proof of concept, as is, would not execute on a recipients machine without an additional layer of social engineering. Beyond that, we are not going to rely solely on string matching as a protective measure, since zip files and other things could also have unpredictable behaviors when sent as an attachment.

We are AV scanning everything that comes through as a secondary measure, so we have defense in depth for this sort of vector. This puts us at a similar level of protection as most webmail providers who deal with the similar risk, and this finding is a very small part of how we protect against this threat overall. At the end of the day, it is more practical for a bad guy to hide an .exe on a convincing landing page behind a URL shortener, which is something we’ve been dealing with for a while.

That certainly is something very serious as shortened URLs pose larger threat, since users blindly click links on the social network. Users must be very careful about links on Facebook and verify them before clicking or sharing with others.

A precautionary measure that users can follow is to set their privacy setting so they can receive messages from their friends only. To do so, follow the steps mentioned below –

  • Click on Account > Privacy Settings
  • Click “Edit Settings” for “How You Connect”
  • From the pop-up box, change “Who can send you Facebook Messages” to “Friends”

A Google+ user named Sahil Singh checked for the vulnerability with Gmail and was surprised to know that it affects Gmail as well.

Published by

Joel Fernandes

Joel Fernandes (G+) is a tech enthusiast and a social media blogger. During his leisure time, he enjoys taking photographs, and photography is one of his most loved hobbies. You can find some of his photos on Flickr.He does a little of web coding, and maintains a tech blog of his own - Techo Latte.Joel is currently pursuing his Masters in Computer Application from Bangalore, India. You can get in touch with him on Twitter - @joelfernandes, or visit his Facebook Profile for more information.

  • http://google balu

    i want to upload .exe files facebook

    • http://google balu

      i wanto upload .exe file facebook

    • Net Verse

      Read my post above, the latter part, Use password protected zip or 7zip file.

  • jordan

    i add a space after .exe, but when i press enter it nothing happens its back to norma.. and i cant attach it.. so please help.

    • Net Verse

      put the EXE in a 7zip with password. then it works. I have done a few times.

  • zelmo

    it´s not really working. i can upload the exe. but when downloading the file ends with exe_ . so the one who downloads the file would have to change to exe before he can execute it. any idee how to fix it.

    if it´s not working try to add space after the ” behind the filename too ;-)

  • vikram

    compress it in .zip and send………it works 100%

    • Net Verse

      Nope, that doesn’t work. you Must put a password on the zip file

  • Net Verse

    What is funny as in funny stupid, is when you find a vulnerability, you don’t talk openly in public web place about to allow the hackers to see it. That is like me finding gold bars buried in some abandon field in the woods, and then I get on a webphone and talking about it on a twitter channel with millions of people following. How many of those people are going to just sit there and say, hey good for you or will they just try to find out where to come to get there share of the action. I think it so stupid when people post news about stuff like that. I found security flaw and could get into anyone’s account thru my account thu browsing manipulation on a certain website, however, I did not get on the web and broadcast it. I contacted the Owner of the site who then offered me two things, one of them was to be a life time non-paying member of the site. Yeah, telling the world about the facebook flaw is not smart. People, it is true, Facebook does put an error that you can’t upload EXE files, however, I do it all the time, and I don’t exploit some flaw in programming of a site. I use a security measure. Encasing a exe in a zipfile will still yield an error on the upload, so what do you do? YOu put your exe file in password protected zip or 7zip file and facebook can’t scan it. I believe I even changed exe to jpeg and yet facebook will now upload. So, yes, you can upload exe inside a zip file that is password protected. Who needs to fiddle f*ck with playing with form request. First of all if a stranger sends me an EXE, it won’t open it if it was on facebook. Even On gmail, when I sawit would not send an exe file like yahoo, what did I do? I put a password on zip file.