Facebook Quietly Fixes EXE Attachment Flaw

After Facebook representatives claimed that the vulnerability discovered in the way executable file attachments could be sent via Facebook messenger was difficult to exploit, it seems that Zuckerberg's company quietly fixed the issue.

Nathan Power updated his blog post on November 1 and modified the vulnerability time table, assigning the issue a "Vulnerability Fixed" status.

"This finding will only allow one user to send an obfuscated renamed file to another Facebook user. The proof of concept, as is, would not execute on a recipients machine without an additional layer of social engineering.

"Beyond that, we are not going to rely solely on string matching as a protective measure, since zip files and other things could also have unpredictable behaviors when sent as an attachment," said a Facebook security manager after the flaw was made public.

At the time, the company representative also claimed that Facebook uses alternative methods to make sure no malicious elements are sent through their messaging service.

In the meantime they had a change of heart and decided to fix the weakness anyway, probably not wanting to risk facing any unfortunate situations.

The whole thing started when Power, a SecurityPenTest researcher, discovered that, if the POST request that was parsed by the server when a file was sent is modified to add a space character at the end of the filename, Facebook wouldn't detect it as being an exe file.

Even though they didn't admit the possibility of an attack that relied on the flaw, it's a good thing that the social networking website decided to act upon it. You never know how even the simplest issues can be utilized by cybercriminals to send their malevolent files.

Since the fix was probably not such a difficult matter, at least for now, their customers can be sure that nothing malicious can come from another member.