A vulnerability in the Facebook Messenger application for Windows was just discovered by Reason Labs security researchers.
The vulnerability is present in Messenger version 460.16, and it could allow attackers to exploit the app to execute malicious files already present on the targeted system. This could then help malware obtain persistent or extended access to the victim’s system.
The good news is that Facebook has already fixed the bug with the release of an updated version of the application via the Microsoft store.
Facebook Messenger App Vulnerability
According to the researchers, the app executes code that shouldn’t be executed, which leads to a vulnerability allowing attackers to hijack a call for a resource within the Messenger code in order to run malware:
By testing the new “Messenger” desktop application, the researchers came across a strange call to load the Powershell.exe from the Python27 directory. Upon noticing that, they knew they found something since the location of “Python27” is in the “c:\python27” directory, which is a low-integrity location. This means that every malicious program can access the path without the need of admin privileges.
The researchers decided to create a reverse shell with msfvenom and a listener with Metasploit just as a POC (proof-of-concept). Once the reverse shell was created, it was transferred to the c:\python27 directory and its name was changed to Powershell.exe which enabled them to hijack the call.
We ran our listener on the attacker machine so it would be ready to get the reverse shell connection from the victim machine. Then we executed the “Messenger” application and got the reverse shell connection, the Reason Labs team says in the report.
What is worse is that the vulnerability is also described as a “persistent threat” that can give attacks undetected access for an extended period of time. Fortunately, it has now been fixed.