The other two mentioned are JS and SVG (which can have JS). Running these from within Facebook app might let them hijack it or do nefarious things typical with web app attacks. I’ll let a websec expert explore that option as I haven’t done that in a long time and don’t remember. Common denominator with these are they’re executable and being opened by users thinking they’re image files. Sounds like a modern variant of old attack that disguised executables as PDF files by making filename too long to see the .exe part & keeping the exe icon same as Adobe. Social engineering mainly.
security researchers have realised that the graphics libraries are full of holes so are exploiting that fact by uploading malicious images which render correctly. This means they can attack a larger number of victims successfully as there is no checks performed for such issues by the social network sites for such types of images if at all possible?
I mean, if you’ve got a jpeg exploit, you’d just use that and own my browser. But they need the user to run an HTA. So like nick says, this is basically “users will run exec sent to them in email” but with some acronyms changed?
I read this post and the original and I’m kind of unclear what’s happening. Something about an image file, and a downloaded file, and double clicking.
It mentions HTA. For those, it’s probably the fact that it’s HTA:
https://en.wikipedia.org/wiki/HTML_Application#Security_considerations
The other two mentioned are JS and SVG (which can have JS). Running these from within Facebook app might let them hijack it or do nefarious things typical with web app attacks. I’ll let a websec expert explore that option as I haven’t done that in a long time and don’t remember. Common denominator with these are they’re executable and being opened by users thinking they’re image files. Sounds like a modern variant of old attack that disguised executables as PDF files by making filename too long to see the .exe part & keeping the exe icon same as Adobe. Social engineering mainly.
security researchers have realised that the graphics libraries are full of holes so are exploiting that fact by uploading malicious images which render correctly. This means they can attack a larger number of victims successfully as there is no checks performed for such issues by the social network sites for such types of images if at all possible?
I mean, if you’ve got a jpeg exploit, you’d just use that and own my browser. But they need the user to run an HTA. So like nick says, this is basically “users will run exec sent to them in email” but with some acronyms changed?
Ah, I see :)