https://www.infoworld.com/d/security/se ... ook-177320" onclick="window.open(this.href);return false;Power wrote that an analysis of the browser's "POST" request sent to Facebook's servers showed that a variable called "filename" is parsed to see if a file should be allowed. But by simply by modifying the POST request with a space just after the file name, an executable could be attached to the message.
"This was enough to trick the parser and allow our executable file to be attached and sent in a message," Power wrote.
A person would not have to be an approved friend of the sender, as Facebook allows people to send those who are not their friends messages. The danger is that a hacker could use social engineering techniques to coax someone to launched the attachment, which could potentially infect their computer with malicious software.
Facebook representatives contacted in London did not have an immediate response on Thursday afternoon.
1
Security Helper
Security Helper
Beveiligingsonderzoeker Nathan Power (Pentester) van technology consultancy CDW heeft een lek (Vulnerability) ontdekt in Facebook en heeft deze openbaar gemaakt op zijn weblog waar exact staat omschreven hoe het toch mogelijk is om executables via Fabebook te versturen.
If it ain't broken, don't fix it