Facebook Messenger Bug
Reason Labs researchers, the cybersecurity threat research team of Reason Cybersecurity, have recently announced details of a vulnerability that they have found in Windows’ Facebook Messenger app.
According to the disclosed information, a flaw in version 460.16 of Messenger could allow attackers to use the App to potentially execute malicious files on the devices that are already compromised in order to help malware to easily access them. The researchers shared that, the vulnerable Messenger version initiates a call from the C:\python27 route to load Windows Powershell. This path is usually created when Python version 2.7 is installed and is not available in most installations of Windows.
Such calls that seek to load potentially non-existent resources can easily be hijacked by malicious actors and used to covertly execute malware. In addition to that, given the low integrity position of this target directory, malicious programs could access the path without the need to gain administrator privileges.In order to test the possibility for exploitation, the Reason Labs research team set up and deployed a reverse shell in the Python directory, disguised as Powershell.exe. Then, they started the Messenger app, which activated the call and executed the reverse shell successfully, showing that malicious actors can take advantage of the vulnerability for persistent attacks.
Commonly, attackers that use persistence methods typically rely on registry keys, scheduled tasks and services to keep their device access active. This particular weakness, however, is known to be more difficult to exploit. The malicious actors need to carefully observe whether an application makes an unwanted call or they need to reach deep into the binary code of an application to find a function that makes an unwanted call.
In April, Reason Labs shared its findings with Facebook, which promptly fixed the flaw with the release of an update for Facebook Messenger for Windows users through the Microsoft store. In the most recent version which Reason’s team tested, namely Messenger 480.5, the vulnerability was patched. Users running the version with the flaw or older one are advised to quickly upgrade to the latest version to prevent potential exploitation of the vulnerability.
So far, there are no indications that the Messenger vulnerability has been exploited prior to the discovery of Reason Labs. Still, a weakness of this type in an app with more than 1.3 billion of active users a month such as Facebook Messenger could have had enormous reflection, had it been exploited. More so now when the current pandemic of coronavirus has brought a lot of restrictions on travel, lock-out and forced work-from -home arrangements where users rely heavily on online communication and collaboration through message applications and video conferencing devices.
In general, the existence of such flaws is extremely dangerous. Attackers can use these flaws to maintain long-term access to devices. Such continuous access may allow for other hacks, including implantation of ransomware, data theft, espionage and online frauds of different kinds. Organized cybercriminal groups often use persistent methods to carry out sophisticated hacks on financial institutions, government departments and other industrial installations.