Update: On November 1 the vulnerability was fixed.
The following vulnerability was discovered by Nathan Power of SecurityPentest.com, I discovered it through the excellent security blog HackPlayers. Then I discuss the problem with a classic example, a alleged photo which is actually an executable.
When trying to send a message with a attached .exe file You receive a warning like the following:
This is so for obvious security reasons, however a simple modifying the POST parameter and the filename variable allow attaching the executable to be sent to any user. You just need to add a space in the file name filename = foto.exe
Once the change has been made, Facebook cannot verify that it is an executable and attach it. When the user receives it, they can download it with a simple click:
I think it is not necessary to clarify the impact of the problem, most users do not have Windows extensions enabled and for many it is the same as a file being EXE, JPG, PDF or whatever … they double click on everything and ms when the message seems to be sent by a friend.
Cable clarify that the researcher reported the problem to Facebook on September 30On October 26, Facebook recognized it and the next day the information was made public.
See also: Trojans in Facebook chat that simulate being photos. 3 friends can change your password in Facebook. Acebook, facebok and faecbook .com domains used to cheat.