Unpatched security vulnerabilities affecting Facebook

A web security researcher from Portugal has discovered several vulnerabilities affecting Facebook that he considers to be serious, but hasn’t had much success convincing the company of that, so he shared the information with the public.

David Sopas, a security researcher at WebSegura.net, has documented the existence of an Open File Upload vulnerability that allows attackers to upload a file with any kind of extension to Facebook servers via the Ads/Tools/Text_Overlay tool.

“A user can upload executable files or just use Facebook servers as file repository. In my proof-of-concept I uploaded a batch file without any restriction and I can access to it anytime, anywhere, as long as I’m logged in on my account,” he noted.

He also found several Reflected Filename Download vulnerabilities, which can be misused to trick users into believing they are downloading a file – for example malware – from a trusted Facebook domain.

The RFD flaw he discovered more recently is, in his opinion, even more dangerous than the previous ones, as “it lacks any type of authentication like access_token, api_key or even an account on Facebook.”

All a potential victim needs to do to get compromised it to click on a link that automatically downloads a .bat file specifically crafted to execute a browser – IE, Chrome, Opera, Android Browser or Chrome for Android – and open a malicious page.