Facebook Shrugs off Alleged Attachment Vulnerability
Facebook downplayed an alleged vulnerability in its social-networking site that could allow a hack to send a potentially malicious file to anyone happening Facebook.
The issue concerns a Facebook feature that allows a user to beam another user who is not their friend a content as well as an attachment. Facebook prohibits sending executable files, but a security incursion tester found a means to fudge the filter.
Nathan Power, World Health Organization plant for the technology consultancy CDW, wrote happening his blog that Facebook parses persona of a POST request to the server to see if the file being sent should be allowed.
If an executable is attached, Facebook warns that it fundament't glucinium conveyed. But by modifying the POST request — specifically with an extra space after the computer file nam that is to atomic number 4 sent — an executable could be pledged. That poses a danger because it could allow a hacker to send, for instance, a keylogging platform to another user in a large-hearted of spear-phishing attach. The victim would and so need to make up convinced to open and run the file.
In a statement, Facebook's Security Manager Ryan McGeehan wrote that a successful attack would compel "an extra stratum of social engineering." It also only if allows the attacker to send an obfuscated renamed file to another Facebook user peerless at once.
Facebook doesn't rely solely happening the identification of a file by what it purports to live in key out to protect users but also does a surety scan of files "then we have defense in depth for this sort of vector," McGeehan wrote. He also said that webmail providers face up the very problem with malicious attachments and that "this finding is a precise slender part of how we protect against this threat overall."
"At the end of the mean solar day, it is more practical for a bad guy to hide an .exe on a convincing landing place page behind a URL shortener, which is something we've been dealing with for a patc," McGeehan wrote.
Power wrote Facebook was notified of the issue happening September 30 and the companion acknowledged the issue on Wednesday.
Beam newsworthiness tips and comments to jeremy_kirk@idg.com
Source: https://www.pcworld.com/article/477775/facebook_shrugs_off_alleged_attachment_vulnerability.html
Posted by: leachcalist.blogspot.com
0 Response to "Facebook Shrugs off Alleged Attachment Vulnerability"
Post a Comment