Facebook only partly agrees that the finding is a real flaw
It was recently uncovered that Facebook Messenger can be tricked into letting anyone send executable files, allowing cybercriminals to attach pieces of malware to their messages.Researchers from SecurityPenTest discovered a bug that bypasses the security mechanism which should make sure that no one is able to send exe files.
Normally, when you try to send such an attachment, an error pops up saying that “You cannot attach files of that type."
In the upload process, the web browser sends a POST request to the server. A variable called “filename” is the one that stores the file's name and the one that checks its type.
However, by adding a space to the variable's end the mechanism was bypassed. So instead of the variable being filename="cmd.exe", the POST request was modified to filename="cmd.exe " (with a space behind .exe).
The issue could have allowed an attacker to compromise a computer by sending it a piece of malware.
According to the timetable provided by the researchers, the vulnerability was reported at the end of September, but it seems that it took Facebook almost a month to come up with an answer.
ZDNet obtained a statement from a Facebook representatives on the matter.
“This finding will only allow one user to send an obfuscated renamed file to another Facebook user. The proof of concept, as is, would not execute on a recipients machine without an additional layer of social engineering. Beyond that, we are not going to rely solely on string matching as a protective measure, since zip files and other things could also have unpredictable behaviors when sent as an attachment,” said Ryan McGeehan, security manager at Facebook.
“We are AV scanning everything that comes through as a secondary measure, so we have defense in depth for this sort of vector,” McGeehan added.
“This puts us at a similar level of protection as most webmail providers who deal with the similar risk, and this finding is a very small part of how we protect against this threat overall.At the end of the day, it is more practical for a bad guy to hide an .exe on a convincing landing page behind a URL shortener, which is something we’ve been dealing with for a while.”