In July, Egypt-based security researcher Mohamed Ramadan discovered what he called a blind XML External Entity (XXE) out-of-band (OOB) vulnerability on Facebook's facebook.com/careers website.
On this site, users who want to apply for a job with Facebook can upload their résumé in .pdf or .docx format. This normally prevents the uploading of malicious files. However, .docx (Office Open XML) is a zipped, XML-based file format, which allowed the researcher to extract its contents using a file archiving application.
By altering the extracted files and placing them inside a .docx file, the expert managed to upload arbitrary code to Facebook's server. The test code developed by the researcher was simply designed to contact an HTTP server running on his computer. It took roughly 15 minutes for the file uploaded to Facebook to contact Ramadan's server, but the attack method had worked.
According to the researcher, the security hole could have been leveraged for a wide range of malicious tasks, including denial-of-service (DoS) attacks, TCP scans, and access to XML files. In certain circumstances, an attacker could have also gained access to sensitive information and launch DDoS attacks, the expert believes.
Facebook initially failed to reproduce the attack, but after further investigations the social media giant admitted it was a security issue and fixed it. In August, the company rewarded Ramadan with $6,300 for his findings.
(Score: 2) by darkfeline on Tuesday December 30 2014, @10:24PM
Last time I tried to use it, it wouldn't accept my LaTeX generated PDF. It doesn't surprise me that it was/is poorly coded.
Join the SDF Public Access UNIX System today!
(Score: 2) by Alfred on Tuesday December 30 2014, @10:38PM
(Score: 3, Interesting) by kaszz on Wednesday December 31 2014, @12:11AM
Just ask Khalil Shreateh what happened when he found a bug [ap.org], told security and eventually made a post to Zuckerberg's Wall to make them aware of the bug. Seems Facebook still hasn't paid him, instead people donated money.
So Suckerbergs Facebait is still there to suck you dry...
Actually German politicians got clueless so security firms pack up and leaves them for more sane countries.. The Register: Germany enacts 'anti-hacker' law [theregister.co.uk].
(theregister.co.uk doesn't support https and implicitly support spying)
(Score: 3, Insightful) by goody on Wednesday December 31 2014, @12:40AM
They gave him $6,300? They would have lost several orders of magnitude more money if this vulnerability got out into the wild. $50K would have been pocket change to Facebook, and a worthy reward.
(Score: 0) by Anonymous Coward on Wednesday December 31 2014, @02:38AM
Give him enough to make him happy; but not enough that he stops looking and reporting.
(Score: 0) by Anonymous Coward on Wednesday December 31 2014, @11:37AM
Means he sold the information to the wrong buyer
(Score: 2, Funny) by Anonymous Coward on Wednesday December 31 2014, @04:34AM
"A harmless-looking Microsoft document file?"
Since when have Microsoft document files been trustworthy? My first virus ( Concept ) was brought to me in one of those files.
And its only gotten worse. [sophos.com]
As far as I am concerned, I treat a .doc file with all the due respect of a public toilet. Avoiding it if at all possible. Unless some businessman thinks he just has to foist the filthy thing into my hand, then I carefully open it up with a viewer, only to find out some script has to run to display its content.
In the old days, reaching down in your pants to scratch your balls, then extending that same hand for a business shake would be considered bad etiquette, as it demonstrated a lack of personal hygeine. These days, I feel giving a customer a .doc file demonstrates the same ignorance of digital hygiene. Its one of those simple business gestures that demonstrate a lack of respect for the customer, like a restauranteur serving the customer a meal in dirty dishes.
(Score: 2) by kaszz on Wednesday December 31 2014, @05:38PM
It demonstrate cluelessness in regards to digital hygiene.