Facebook Inc. typically protects its users from malware by blocking executable files from being sent through its messaging feature. But its filter can be tricked with a tap of the spacebar, one security expert disclosed.
The information Facebook uses to detect executable files looks at the "filename" variable in the information being sent through its website, according to an article Computerworld published Thursday. Putting a space after the filename in that variable's description "was enough to trick the parser and allow our executable file to be attached and sent in a message," Nathan Power, the senior security penetration tester for the tech consultancy CDW, said in the blog post where he revealed the security flaw.
By exploiting this flaw, a user could send malicious software via Facebook to steal other users' banking passwords or other sensitive information. The recipient does not have to be on the sender's friends list.
Facebook representatives did not have an immediate comment, the article said.