Facebook .EXE Attachment Vulnerability Latest Security Flaws Found in FB

A Security Researcher from securitypentest discovered a New vulnerability in Facebook file uploading feature that leads to uploading EXE files. For sending message , even you don't need to be friend.
According to Security Pentest Researchers:- 

When using the Facebook 'Messages' tab, there is a feature to attach a file. Using this feature normally, the site won't allow a user to attach an executable file. A bug was discovered to subvert this security mechanisms. Note, you do NOT have to be friends with the user to send them a message with an attachment.
Description :-
When attaching an executable file, Facebook will return an error message stating:
"Error Uploading: You cannot attach files of that type."

When uploading a file attachment to Facebook we captured the web browsers POST request being sent to the web server. Inside this POST request reads the line:
Content-Disposition: form-data; name="attachment"; filename="cmd.exe"
It was discovered the variable 'filename' was being parsed to determine if the file type is allowed or not. To subvert the security mechanisms to allow an .exe file type, we modified the POST request by appending a space to our filename variable like so:
filename="cmd.exe "

This was enough to trick the parser and allow our executable file to be attached and sent in a message.

Potentially allow an attacker to compromise a victim’s computer system.


Voice Of GREYHAT is a non-profit Organization propagating news specifically related with Cyber security threats, Hacking threads and issues from all over the spectrum. The news provided by us on this site is gathered from various Re-Sources. if any person have some FAQ's in their mind they can Contact Us. Also you can read our Privacy Policy for more info. Thank You ! -Team VOGH
If you enjoyed VOGH News, Articles Then Do Make sure you to Subscribe Our RSS feed. Stay Tuned with VOGH and get Updated about Cyber Security News, Hacking Threads and Lots More. All our Articles and Updates will directly be sent to Your Inbox. Thank You! -Team VOGH

Categories: ,


Post a Comment

Related Posts Plugin for WordPress, Blogger...