Facebook security flaw enables attackers to control users' PCs

Millions of users could be at risk from two vulnerabilities, but Facebook downplays significance

Social media giant Facebook could have two security flaws that may affect millions of its users, but it has decided not to act on them, according to David Sopas, a researcher at WebSegura.

According to Sopas, a reflected file download issue would enable an attacker to send a malicious file to a user as if it was offered by Facebook's trusted domain. The attacker could do this using Internet Explorer 9, or, by tweaking the method slightly, Google Chrome, Opera or Firefox.

"To the user the entire process looks like a file is offered for download by [a] Facebook trusted domain and it would not raise any [suspicions]. A malicious user could [then] gain total control over a victim's computer and launch multiple attacks," he said in a blog post.

But the attack relies heavily on user interaction. The attacker would hope that a user with an outdated version of Internet Explorer clicks the link to download the file. They would then have to run the file. Another attack scenario would see the attacker to social engineer people with an updated version of their browsers to click a link to a non-Facebook domain, then click a second link to download the file and run it.

As a result of the reliance on user interaction, Facebook downplayed the significance of the vulnerabilities.

"We can't control all the ways browsers may allow content downloads or the different app formats that a computer may allow," it told Sopas.

"We can't know a priori all potential executable formats nor can we reasonably prevent someone from saving a response to their computer," the social network said.

A Facebook spokesperson told Kaspersky Lab that the report from Sopas would not be eligible for a bug bounty.

"Our bug bounty program excludes reports that have no practical security implications, as well as social engineering techniques that require significant interaction from the victim because technical changes are usually not the best way to address these threats," the spokesperson said.

The second security issue Sopas found allows an attacker to upload a file with any kind of extension to the Facebook server using the social media company's Ads/Tools/Text_Overlay tool.

"A user can upload executable files or just use Facebook servers as a file repository," he said.

In his proof-of-concept, Sopas uploaded a batch file without any restriction and he could access it anywhere as long as he was logged in to his account.

Sopas said that he hoped his "full disclosure" will raise awareness of the security risk.