Nathan Power, who works for the technology consultancy CDW, updated his blog yesterday to reflect that the flaw had been fixed. The problem allowed a user to send another user an executable attachment by using Facebook’s ‘Message’ feature.
The sender and the recipient did not have to be confirmed friends. Power, who notified Facebook on September 30, found that Facebook parses part of a POST request to the server to see if the file being sent should be allowed. Usually, executable files are rejected.
But Power found that if he modified the POST request with an extra space after the file name for the attachment, it would go through. If a victim accepted the file, the person would still need to launch it in order for malicious software to be installed.
The danger is that Facebook could be used for so-called spear phishing, or targeted attacks with the intention of loading malware on a victim’s machine. The style of attack has been successful against companies such as RSA, which leaked information related to its SecurID authentication and disclosed the issue in March.
At least one defense contractor was subsequently attacked following the RSA breach.
Facebook’s security manager, Ryan McGeehan, said in a statement last week that a successful attack using the vulnerability would require social engineering and also would only allow the attacker to send an obfuscated renamed file to another user one at a time. Facebook this week continued to insist that a fix was not necessary.