Posted on June 12, 2020 at 3:04 PM
A Facebook App Vulnerability could have Led to Persistent Attack
Today, Reason Labs security researchers revealed that they recently discovered a vulnerability in the Facebook Messenger application for Windows. The security research team is a division of Reason Cybersecurity, a security solutions provider.
According to the researchers, the vulnerability is found in version 460.16 of the Facebook messenger app. It could allow hackers to potentially execute malicious files found on an infected system to help the malware gain extended or persistent access.
The vulnerability has been patched
Reason Labs initially revealed its discovery to Facebook in April. Immediately after receiving news of the flaw, the social media giant patched the vulnerability and updated the vulnerable messenger app for Windows users through the Microsoft store.
The flaw could allow hackers to take full control
The researchers said the flawed app unanimously triggers an action to load Windows Powershell from the C:\python27 path, which is generally released during the installation of Python version 2.7. The researchers also said it’s not common with most Windows installations.
The hackers can take control of such action that tried to load seemingly non-existent protocols to secretly release malware. Besides, the malicious program can have access to the administrator privileges since the targeted network is in a low-integrity area.
Reason Labs tried to test whether the flaw can be explored. They set up a reserve shell which acted as Powershell.ex and released it into the Python directory.
Afterwards, the team ran the messenger app, which activated the call, and executed the reverse shell successfully. This proved that the flaw can be exploited for continuous attacks by a malicious app.
Traditionally, hackers who use persistent attacking methods depend heavily on scheduled tasks, registry keys, and services to remain active within the affected system. However, this flaw is known to be more difficult to exploit.
That’s probably one of the reasons why it hasn’t been exploited yet. The attackers would have observed whether the app is making an upward call. They could also have gone deep into the binary code of the app to locate a protocol that makes such a call.
Users are advised to update their old app
The version 480.5 vulnerability has been fixed, which turned out to be the most recent release the Reason Labs tested. Facebook has already issued a notification to users using the older or vulnerable version of the app to update as soon as possible.
The vulnerability can lead to other attacks
Hackers can take advantage of the vulnerability to keep accessing details from the device for an extended period. This type of continual access can allow them to carry out other hacking attacks, including data exfiltration, ransomware implantation, and other breaches.
Threat groups also utilize persistent hacking methods to carry out specialized hacks targeting government offices, financial institutions, and other industrial facilities.
An attack could have been widespread
Also, if the flaw had been exploited, the threat could have affected several systems and devices, with 1.3 billion Facebook Messenger users each month. The figure is even more as it takes into account only users who access the app with their devices. Several others access the app via their Windows systems.
With messenger apps seeing increased usage during the current Convid-19 pandemic, the impact could even be worse. As travel and work restrictions are in place in several countries, the use of video conferencing apps and messenger tools have been on the increase, Users rely heavily on these apps to communicate with their friends and colleagues they cannot visit physically due to the restrictions.
As Facebook messenger is one of the popular apps, it could affect several users if the vulnerability has been exploited successfully. In March this year, the company reported a 50% increase in messaging and a 1000% increase in time-in-group calls.