A researcher has managed to execute malicious code on the Facebook servers by uploading a specially prepared Word document. The vulnerability was on Facebooks career website where people who want to work with Facebook to upload their CV as pdf or docx document. Researcher Mohamed Ramadan , however, knew docx files actually are zipped XML files.
He opened his cv.docx with zip utilities 7zip and discovered several XML files. Then he added code so that the server of Facebook connection with his server would. Initially Ramadan thought his code did not work, until he saw that after a quarter of a server Facebook indeed made its server connection.
According to the investigator, he could make use of it in various ways, such as performing a Denial of Service, TCP-scans and other commands. Facebook initially thought there was no problem and that a recruiter file cv.docx had opened and had clicked on the link. However, not much later the social networking site that it indeed was a vulnerability, which has now been resolved. Ramadan received for his bug melding an amount of 6300 dollars.
No comments:
Post a Comment