Nathan Power, a senior security penetration tester at technology consultancy CDW, has just given Facebook users yet another reason to be vigilant about checking the security of every message they receive on the social networking site. According to him, there is a major flaw in Facebook that allows a person to send malicious applications through the site’s messaging system.
Those who are familiar with Facebook’s message system will probably know that the site now allows people to send attachments along with the actual message. Normally, .exe files cannot be sent through this feature. Trying to do so will only net you an error message saying that files of that type are not allowed to be attached.
However, Power found a bug that allows him to subvert Facebook’s security. He found out that Facebook’s interface determined whether a file could be attached or not by parsing the filename. If it finds that the attachment has an extension that is not allowed to be uploaded, like a .exe file, for example, then it automatically rejects that file. Power managed to trick this system by merely adding a space after the extension. Specifically, by writing “.exe ” instead of “.exe”.
Upon implementing this minor, easy change, the file was allowed to be attached. What’s dangerous about this is that you don’t exactly have to be friends with a certain user in order to send him a message. Hackers can thus use Facebook as a medium for sending malicious files.
However, Facebook downplayed the risk, saying that the file would not execute on the recipient’s machine without another layer of ‘social engineering’.
Even so, the site also employs AV scanning, a system that checks each and every file that goes through the message feature. It’s the same method employed by most webmail providers. In that respect, Facebook is pretty much on the same page as the e-mail providers that we use.
The company representative also added that it’s ultimately much more practical for the hacker/scammer to hide the .exe file on a seemingly trustworthy site hidden through a URL shortener. This, in fact, is something that the site has been dealing with for a while now.
Indeed, shortened URLs pose a much larger danger on Facebook, especially when the hacker/scammer uses snares that easily catch people’s attention. However, one cannot simply dismiss the threat exposed by Mr. Powers. People should still be extra vigilant about whatever file they receive through Facebook – or any other webmail provider, for that matter – especially if they do not know who the sender is.
One thing we recommend users to do is to set their privacy setting so they can only receive Facebook messages from their friends. Click ‘Privacy Settings’ in the top right corner and then select ‘How You Connect.’ There is an option on this menu to adjust who can send you messages via Facebook.