Security researcher Chris C. Russo claims to have discovered a way to use Facebook’s chat module to launch denial-of-service (DOS) attack against any user, even if they’re not friends with the attacker.
Russo reveals that the attack is similar to the ones launched back in the day via MSN messenger. A large number of packets are sent to the target, causing his application to crash.
“The chat module, which at this moment I can't use since it looks like I have been blocked after testing it using burp suit, doesn't have any kind of limit in the amount of characters that can be sent,” he explained.
“It has been possible to disconnect 3 different testing users (3 out of 3) by sending big enough messages. One of them reported that his tablet restarted after the reception, and it wasn't longer possible to open the FB app anymore, since the chat log would remain there and it would make the app crash again,” he added.
According to the researcher, these DOS attacks are possible because of a parameter in facebook.com/ajax/mercury/send_messages.php.
He has revealed that these attacks can be mitigated by analyzing the length of the buggy parameter before sending the information to the user.
“Personally I believe that there must be something wrong with XSRF tokens as well, because it would allow me to send several packets using the same token that I initially extracted, however I couldn't this information due the ban prevention mechanism,” Russo wrote on seclist.org’s Full Disclosure.
The exact packet that must be sent to cause the DOS condition has been made public. The expert claims that the vulnerability has been made available because in the past, it took Facebook 6 weeks to reply to his notifications only to tell him that “there was no flaw at all.”