Facebook .exe Attachment Vulnerability Found

Uploading .exe files is generally not allowed on most online services like Gmail and Facebook. However, a vulnerability found in Facebook lets you attach .exe files and send them across to your friends and other people.

The bug was first identified by Nathan Power, a senior security penetration tester at technology consultancy CDW, which he posted about the issue in a blog post.Facebook Security

Mark Zuckerberg announced Facebook Messages last year in November, which enabled every user to create a @facebook.com email address. This also allowed users to upload attachments like images and document files, but did not allow users to attach .exe files. Whenever a user tried to attach an .exe file, Facebook throws the following error message – “You cannot attach files of that type”.

Nathan Power found an alternative way to attach .exe files and surprisingly it worked. When uploading the file to Facebook, he captured the web browser’s POST request, which is as follows –

Content-Disposition: form-data; name="attachment"; filename="cmd.exe"

It was identified that the variable “filename” was being parsed to determine whether the type of file is allowed to be uploaded or not. Power modified the POST request by appending a blank space after the .exe in order to subvert the security mechanism to allow an .exe file type.

The modified line looked like this –

Content-Disposition: form-data; name="attachment"; filename="cmd.exe "

That way, the Facebook messaging system allowed the user to upload a file with .exe extension, thus causing a huge vulnerability in the messaging system. This could be misused by hackers/spammers to send malicious files to any user on Facebook.

Attach .exe Files in Facebook

However, Facebook’s Security Manager Ryan McGeehan stated that in order to execute the file on the receiver’s computer it would require “an additional layer of social engineering.” He also said that webmail providers face the same problem with malicious attachments and that “this finding is a very small part of how we protect against this threat overall.”

Here’s what Ryan McGeeham had to say –

This finding will only allow one user to send an obfuscated renamed file to another Facebook user. The proof of concept, as is, would not execute on a recipients machine without an additional layer of social engineering. Beyond that, we are not going to rely solely on string matching as a protective measure, since zip files and other things could also have unpredictable behaviors when sent as an attachment.

We are AV scanning everything that comes through as a secondary measure, so we have defense in depth for this sort of vector. This puts us at a similar level of protection as most webmail providers who deal with the similar risk, and this finding is a very small part of how we protect against this threat overall. At the end of the day, it is more practical for a bad guy to hide an .exe on a convincing landing page behind a URL shortener, which is something we’ve been dealing with for a while.

That certainly is something very serious as shortened URLs pose larger threat, since users blindly click links on the social network. Users must be very careful about links on Facebook and verify them before clicking or sharing with others.

A precautionary measure that users can follow is to set their privacy setting so they can receive messages from their friends only. To do so, follow the steps mentioned below –

  • Click on Account > Privacy Settings
  • Click “Edit Settings” for “How You Connect”
  • From the pop-up box, change “Who can send you Facebook Messages” to “Friends”

A Google+ user named Sahil Singh checked for the vulnerability with Gmail and was surprised to know that it affects Gmail as well.

Facebook Adds Two New Security Features – Trusted Friends and Application Passwords

With more than 800 million users, Facebook is taking security seriously, and in an aim to help users protect their accounts, the social networking giant has announced two new security improvements – Trusted Friends and Application Passwords.

When your Facebook account is compromised, the first basic thing the hacker/hijacker does is try changing your account’s password,
Facebook Security so that you don’t regain access to the account. The conventional process of changing password is that you need to enter the old password first and then the new password. Facebook is now looking forward to change this approach.

The Trusted Friends feature lets you choose three to five friends who you really trust. Whenever you or someone else is trying to change your account password, these set of trusted friends will be contacted in order to verify that you are the legitimate account owner. Or if your Facebook account gets locked down, these friends will vouch for you and help you regain access to your account. So, better be careful while choosing your “trusted” friends.

Learn:  How to Prevent Your Facebook Account from Getting Hacked

“It’s sort of similar to giving a house key to your friends when you go on vacation–pick the friends you most trust in case you need their help in the future,” the company said in a blog post.

To set up Trusted Friends:

  1. Go to your  Security Settings  page (Account > Account Settings > Security)
  2. Click on the  Trusted Friends  section
  3. Click  Choose Trusted Friends
  4. Scroll through your friends or search for specific friends
  5. Select 5 friends and confirm your choices

Note: The feature is currently under testing stage. So, if you don’t see the “Trusted Friends” section, then you got to wait until it’s publicly  available.

Facebook Application Passwords

Facebook implemented a security feature called Login Approvals, which when enabled requires users to enter a security code texted to their phone whenever they login to Facebook or Facebook apps. However, some application like Spotify didn’t properly generate the security code entry dialog, which then denied access to the app.

Read:  Facebook Introduces Sweeping Sharing and Privacy Changes

To overcome this issue, Facebook has announced a new feature call the Application Password. This feature lets you create a unique App Password, and prompts for it whenever you’re trying to access the app. To enable this feature, go to your Facebook Account Settings > Security and click on “Edit” App Passwords. A message box opens up stating that Login Approvals won’t work for apps like Xbox, Spotify, and Skype. Now, click on “Generate App Passwords”.

Facebook Security - App Passwords

On the next screen, you are asked to enter the name of the App (Ex: Skype or iPhone). Facebook will now generate a unique alphanumeric password for the entered app name.

Facebook App Password

“There are tons of applications you can use by logging in with your Facebook credentials. However in some cases you may want to have a unique password for that application,” the blog post says. “This is especially helpful if you have opted into Login Approvals, for which security codes don’t always work when using 3rd party applications.”

The two new security features look promising, and would certainly help users keep hackers and hijackers out of their accounts. However, for an effective use, Facebook should consider running an awareness campaign or release a new version of the Official Guide to Facebook Security document.

The Impact of Facebook Scams and How Scammers Make Money

In the past, we reported a number of Facebook scams that were spreading like wildfire. Scam messages including Girl Killed Herself After Dad Posted On Wall Scam, Marika Fruscio Spam, OMG Can’t Believe Justin Beiber Did This To A Girl Spam, which were reported earlier are still spreading on Facebook. As Facebook scams continue to boom and spam news feeds, Websense, a web security firm conducted an interesting study that explains how scam messages spread and how they work.

Websense conducted their study by choosing two scams which are still very much actively spreading. The study showed that nearly 1800 Facebook users clicked and interacted with the scam every few seconds. Assuming that every user spent at least 1 minute on the scam website completing surveys, then there will be 2,592,000 hits (visitor count) per day! That’s a bomb!

Calculation: (24 hours X 60 minutes) X 1,800 users = 2,592,000 hits per day

Users are tempted to click on such scam messages that increase their curiosity. And that’s why scammers create scams with enticing titles and descriptions along with images (thumbnails) of half-naked girls.

How do scams spread?

There are two ways on how scam messages spread. One, when users click on a scam message, they will be taken to a fake page where they will be asked to verify their age by clicking on the “Jaa” button twice. The “jaa” button is coded with functions that will post the message on their Facebook wall automatically.

Second, when a user clicks on a scam message, the user will be taken to a webpage where it contains an image which appears like a normal YouTube player (Or any other video player). These sites will not have any age verification procedure. However, in this case the play button is coded, so when the user clicks on the play button, it will automatically “like” and share the scam message on their Facebook wall.

Here is the code that is used to automatically share the message in the background –

Facebook Scam Share Code

The scam the spreads across the news feed when users’ friends start clicking on the message.