Uploading .exe files is generally not allowed on most online services like Gmail and Facebook. However, a vulnerability found in Facebook lets you attach .exe files and send them across to your friends and other people.
The bug was first identified by Nathan Power, a senior security penetration tester at technology consultancy CDW, which he posted about the issue in a blog post.
Mark Zuckerberg announced Facebook Messages last year in November, which enabled every user to create a @facebook.com email address. This also allowed users to upload attachments like images and document files, but did not allow users to attach .exe files. Whenever a user tried to attach an .exe file, Facebook throws the following error message – “You cannot attach files of that type”.
Nathan Power found an alternative way to attach .exe files and surprisingly it worked. When uploading the file to Facebook, he captured the web browser’s POST request, which is as follows -
Content-Disposition: form-data; name="attachment"; filename="cmd.exe"
It was identified that the variable “filename” was being parsed to determine whether the type of file is allowed to be uploaded or not. Power modified the POST request by appending a blank space after the .exe in order to subvert the security mechanism to allow an .exe file type.
The modified line looked like this -
Content-Disposition: form-data; name="attachment"; filename="cmd.exe "
That way, the Facebook messaging system allowed the user to upload a file with .exe extension, thus causing a huge vulnerability in the messaging system. This could be misused by hackers/spammers to send malicious files to any user on Facebook.
However, Facebook’s Security Manager Ryan McGeehan stated that in order to execute the file on the receiver’s computer it would require “an additional layer of social engineering.” He also said that webmail providers face the same problem with malicious attachments and that “this finding is a very small part of how we protect against this threat overall.”
Here’s what Ryan McGeeham had to say -
This finding will only allow one user to send an obfuscated renamed file to another Facebook user. The proof of concept, as is, would not execute on a recipients machine without an additional layer of social engineering. Beyond that, we are not going to rely solely on string matching as a protective measure, since zip files and other things could also have unpredictable behaviors when sent as an attachment.
We are AV scanning everything that comes through as a secondary measure, so we have defense in depth for this sort of vector. This puts us at a similar level of protection as most webmail providers who deal with the similar risk, and this finding is a very small part of how we protect against this threat overall. At the end of the day, it is more practical for a bad guy to hide an .exe on a convincing landing page behind a URL shortener, which is something we’ve been dealing with for a while.
That certainly is something very serious as shortened URLs pose larger threat, since users blindly click links on the social network. Users must be very careful about links on Facebook and verify them before clicking or sharing with others.
A precautionary measure that users can follow is to set their privacy setting so they can receive messages from their friends only. To do so, follow the steps mentioned below -
- Click on Account > Privacy Settings
- Click “Edit Settings” for “How You Connect”
- From the pop-up box, change “Who can send you Facebook Messages” to “Friends”