Greeting Everyone! Hope Everything is going well and good recently A security researcher has found a vulnerability issue in Facebooks Android app in their download features which advanage fir an attacker that could be exploited to launch remote code execution (RCE) attacks. And For finding this critical issue researcher awarded the researcher $10,000 for finding the bug.
What is rce?
Rce Contain remote code execution arbitrary code execution is an attacker’s ability to execute arbitrary commands or code on a target machine which interpreter with system. RCE is critical Vulnerability which has huge impact .
As according To facebook application in their android app which contain two methods when downloading file from group a built in Android service called first DownloadManager and a second method called Files Tab. As researcher Sayed Abdelhafiz verified a path traversal flaw in mehod second Called Files Tab.
“I discovered an ACE on Facebook for Android that can be triaged through a download file from group Files Tab without opening the file,” he said in a post on Medium.
The vulnerability was in the second method. While security measures were implemented on the server-side when uploading the files, it was easy to bypass those.
“The first idea that came to my mind was to use path traversal to overwrite native libraries which will lead to executing arbitrary code,” Abdelhafiz said.
Abdelhafiz explained how the Files Tab flaw enabled the researcher to launch RCE attacks against a target device.
The vulnerability in the Files Tab has now been fixed.