A pair of vulnerabilities in Facebook could potentially present security issues to millions of members of the social network—whose response is a resounding "meh."
Researcher David Sopas of WebSegura discovered that an attacker could, via social engineering, gain control of a victim’s machine. The other flaw would allow the upload of an arbitrary file to the site.
In the first instance, a reflected file download issue would allow an attacker to send a malicious file from what looks like a trusted Facebook domain. The attack could be launched from Internet Explorer 9 (but can be made to work with Chrome or Opera), masquerading as a legitimate correspondence.
“To the user the entire process looks like a file is offered for download by [a] Facebook trusted domain and it would not raise any [suspicions],” Sopa said in a blog. A malicious user could gain total control over a victim’s computer and launch multiple attacks.”
A successful exploit would require user interaction, to varying degrees. First, users with an outdated version of IE (IE 8 and earlier) to click a download link and then agree to execute the file once the download is complete. Or, people with updated versions of browsers would need to be socially engineered to click a link to a non-Facebook domain, and from there click a second link to download the malicious file and execute it.
As such, Facebook said that it’s not too concerned. “We can’t control all the ways browsers may allow content downloads or the different app formats that a computer may allow,” it told Sopa. “We can’t know apriori all potential executable formats nor can we reasonably prevent someone from saving a response to their computer.”
Meanwhile a Facebook spokesman told Kaspersky Lab that in any event, it’s not eligible for a bug bounty.
“Our bug bounty program excludes reports that have no practical security implications, as well as social engineering techniques that require significant interaction from the victim because technical changes are usually not the best way to address these threats,” the spokesman said.
The second issue makes it possible to upload a file with any kind of extension to the Facebook server via the Ads/Tools/Text_Overlay tool. This online tool checks the upload image for ad platform compatibility.
“A user can upload executable files or just use Facebook servers as file repository,” Sopa said. “In my proof-of-concept I uploaded a batch file without any restriction and I can access to it anytime anywhere as long as I’m logged in on my account.”