Bug in new Facebook security features bared


Facebook acknowledged a messaging vulnerability that allows the sending of potentially malicious files, even as it continues to test new security features that promise to enhance users’ control over their accounts and how they access their own information.

An article on The Next Web said a security researcher has detected and disclosed a new vulnerability on Facebook that allows a third-party to use the social network’s Messages service to attach malicious files and send them to any registered user.

The exploit, which focuses on how Facebook interprets file uploads within messages, was submitted to Facebook September 30 by penetration tester Nathan Power and was recognized by the company on Wednesday, it said.

Facebook blocks malicious file uploads by default, typically issuing the response: “Error Uploading: You cannot attach files of that type.”

But Power analyzed the responses and amended the POST request, allowing him to bypass the filename check and attached a potentially malicious executable file.

But Facebook’s security manager Ryan McGeehan told The Next Web that this finding will only allow one user to send an obfuscated renamed file to another Facebook user.

“The proof of concept, as is, would not execute on a recipients machine without an additional layer of social engineering. Beyond that, we are not going to rely solely on string matching as a protective measure, since zip files and other things could also have unpredictable behaviors when sent as an attachment,” he said.

McGeehan said they are scanning everything that comes through as a secondary measure, “so we have defense in depth for this sort of vector.”

He added this finding is a very small part of how Facebook protects against this threat overall.

“At the end of the day, it is more practical for a bad guy to hide an .exe on a convincing landing page behind a URL shortener, which is something we’ve been dealing with for a while,” he said.

Facebook beefing up security

In a blog post, Facebook said it will be testing “Trusted Friends” and “App Passwords” for the social networking site in the coming weeks.

“We are adapting and responding to new threats everyday and will continue to roll out new ways to protect your account. Be on the lookout for more announcements throughout the rest of this year, and remember to stay vigilant while online and remind others to do the same,” it said.

Facebook said its work on security has resulted in “less than half a percent” of users experiencing spam on any given day.

Also, it said only a fraction of a percent of users ever experience any security-related issues.

“But we know there is plenty of more work to be done and we will keep striving to make sure that every time you log in to Facebook, you have a safe and social experience,”it said.

Trusted friends

The new “Trusted Friends” tool helps a Facebook member if ever he or she is locked out of his or her account.

It is similar to other features that help one prove one’s identity through one’s friends.

“If you forgot your password and need to login but can’t access your email account, you can rely on your friends to help you get back in. We will send codes to the friends you have selected and they can pass along that information to you,” it said.

App passwords
App passwords will be helpful in Login Approvals, for which security codes do not always work when using third-party applications.

“You can generate a password that you won’t need to remember, just enter it along with your email when logging into an application,” it said. — TJD, GMA News

Article source: http://www.gmanews.tv/story/236976/technology/bug-in-new-facebook-security-features-bared

View full post on National Cyber Security