\"<p>Personalised
Personalised ads and users' Facebook.<\/span><\/figcaption><\/figure>New Delhi: A security researcher has found a vulnerability in the download feature of Facebooks Android app that could be exploited to launch remote code execution (RCE) attacks. The social networking giant awarded the researcher $10,000 for finding the bug.

Facebook<\/a>'s Android app uses two methods of downloading files from a group -- a built-in Android service called DownloadManager and a second method called Files Tab.

Security researcher Sayed Abdelhafiz discovered a path traversal flaw in the second method.

\"I discovered an ACE on
Facebook for Android<\/a> that can be triaged through a download file from group Files Tab without opening the file,\" he said in a post on Medium.

The vulnerability was in the second method. While security measures were implemented on the server side when uploading the files, it was easy to bypass those.

\"First idea that came to my mind was to use path traversal to overwrite native libraries which will lead to executing arbitrary code,\" Abdelhafiz said.

Abdelhafiz explained how the Files Tab flaw enabled the researcher to launch RCE attacks against a target device.

The vulnerability in the Files Tab has now been fixed.

In June this year, Ahmedabad-based security researcher Bipin Jitiya won Rs 23.8 lakh ($31,500) from Facebook for identifying a bug in its social networking platform and a third-party business intelligence portal.

Jitiya, 26, identified the web security vulnerability in internal blind Server-Side Request Forgery (SSRF) in the source code of a publicly accessible endpoint, built using tools from MicroStrategy, that performed custom data collection and content generation.

MicroStrategy has partnered with Facebook on data analytics projects for several years. Jitiya reported the bug to the MicroStrategy's security team, who acknowledged it, saying the issue has been mitigated.

In May, a 27-year-old Indian security researcher Bhavuk Jain grabbed $100,000 (over Rs 75.5 lakh) from Apple for discovering a now-patched Zero Day vulnerability in the Sign in with Apple account authentication.

The Zero Day vulnerability could have allowed a hacker to break into an Apple user's account who log into third-party apps like Dropbox, Spotify, Airbnb and Giphy (now acquired by Facebook) and more.<\/body>","next_sibling":[{"msid":78507730,"title":"Apple removes third party audio products from online store","entity_type":"ARTICLE","link":"\/news\/apple-removes-third-party-audio-products-from-online-store\/78507730","category_name":null,"category_name_seo":"telecomnews"}],"related_content":[],"msid":78507770,"entity_type":"ARTICLE","title":"Facebook awards $10K for finding bug in its Android app","synopsis":"A security researcher has found a vulnerability in the download feature of Facebooks Android app that could be exploited to launch remote code execution (RCE) attacks. The social networking giant awarded the researcher $10,000 for finding the bug.","titleseo":"telecomnews\/facebook-awards-10k-for-finding-bug-in-its-android-app","status":"ACTIVE","authors":[],"analytics":{"comments":0,"views":162,"shares":0,"engagementtimems":810000},"Alttitle":{"minfo":""},"artag":"IANS","artdate":"2020-10-06 10:39:19","lastupd":"2020-10-06 10:41:02","breadcrumbTags":["Facebook app","facebook","Google Play","Facebook Android App","Dropbox (service)","Facebook for Android","MVAS\/Apps"],"secinfo":{"seolocation":"telecomnews\/facebook-awards-10k-for-finding-bug-in-its-android-app"}}" data-authors="[" "]" data-category-name="" data-category_id="" data-date="2020-10-06" data-index="article_1">

Facebook奖$ 10 k寻找bug的Android应用程序

安全研究人员发现一个漏洞或facebook Android应用的下载功能,可以利用发射远程代码执行(远端控制设备)的攻击。社交网络巨头获得研究员10000美元寻找错误。

  • 2020年10月6日更新,41是坚持
阅读: 100年行业专业人士
读者的形象读到100年行业专业人士
< p >个性化广告和用户的Facebook。< / p >
个性化的广告和用户的Facebook。
新德里:一个安全研究人员发现一个漏洞或facebook Android应用的下载功能,可以利用发射远程代码执行(远端控制设备)的攻击。社交网络巨头获得研究员10000美元寻找错误。

脸谱网的Android应用程序使用两种方法下载文件从一群——内置Android服务称为DownloadManager和第二个方法称为文件选项卡。

安全研究员赛义德Abdelhafiz发现了第二路径遍历缺陷的方法。

“我发现了一个王牌Facebook为Android可以通过下载文件筛选从集团文件选项卡没有打开文件,”他在一篇文章中表示。

广告
在第二种方法的漏洞。在安全措施上实现服务器端上传文件时,很容易绕过。

“最初的想法,来到我的头脑是使用路径遍历覆盖本地库将导致执行任意代码,“Abdelhafiz说。

Abdelhafiz解释文件选项卡的缺陷使研究者能够发射远端控制设备攻击一个目标设备。

文件选项卡中的漏洞已经被修正了。

今年6月,位于安全研究员Bipin Jitiya赢得Rs 23.8十万卢比(合31500美元)从Facebook识别缺陷在其社交网络平台和第三方商业智能门户。

Jitiya, 26岁,确定了网络安全漏洞在内部盲端请求伪造(SSRF)源代码的公开访问端点,从MicroStrategy使用工具,执行自定义数据收集和内容生成。

MicroStrategy与Facebook数据分析项目好几年。Jitiya报告bug MicroStrategy的安全团队,承认它,说这个问题已经减轻。

今年5月,27岁的印度安全研究员Bhavuk Jain抓起100000美元(75.5 / Rs十万卢比)从苹果发现now-patched零日漏洞在与苹果公司的账号进行登录,身份验证。

广告
零日漏洞可能允许黑客进入一个苹果用户的账户登录第三方应用程序像Dropbox, Spotify, Airbnb Giphy(现在收购Facebook)等等。
  • 在2020年10月6日出版,是坚持

加入2 m +行业专业人士的社区

订阅我们的通讯最新见解与分析。乐动扑克

下载ETTelec乐动娱乐招聘om应用

  • 得到实时更新
  • 保存您最喜爱的文章
扫描下载应用程序
是第一个发表评论。
现在评论
\"&lt;p&gt;Personalised
Personalised ads and users' Facebook.<\/span><\/figcaption><\/figure>New Delhi: A security researcher has found a vulnerability in the download feature of Facebooks Android app that could be exploited to launch remote code execution (RCE) attacks. The social networking giant awarded the researcher $10,000 for finding the bug.

Facebook<\/a>'s Android app uses two methods of downloading files from a group -- a built-in Android service called DownloadManager and a second method called Files Tab.

Security researcher Sayed Abdelhafiz discovered a path traversal flaw in the second method.

\"I discovered an ACE on
Facebook for Android<\/a> that can be triaged through a download file from group Files Tab without opening the file,\" he said in a post on Medium.

The vulnerability was in the second method. While security measures were implemented on the server side when uploading the files, it was easy to bypass those.

\"First idea that came to my mind was to use path traversal to overwrite native libraries which will lead to executing arbitrary code,\" Abdelhafiz said.

Abdelhafiz explained how the Files Tab flaw enabled the researcher to launch RCE attacks against a target device.

The vulnerability in the Files Tab has now been fixed.

In June this year, Ahmedabad-based security researcher Bipin Jitiya won Rs 23.8 lakh ($31,500) from Facebook for identifying a bug in its social networking platform and a third-party business intelligence portal.

Jitiya, 26, identified the web security vulnerability in internal blind Server-Side Request Forgery (SSRF) in the source code of a publicly accessible endpoint, built using tools from MicroStrategy, that performed custom data collection and content generation.

MicroStrategy has partnered with Facebook on data analytics projects for several years. Jitiya reported the bug to the MicroStrategy's security team, who acknowledged it, saying the issue has been mitigated.

In May, a 27-year-old Indian security researcher Bhavuk Jain grabbed $100,000 (over Rs 75.5 lakh) from Apple for discovering a now-patched Zero Day vulnerability in the Sign in with Apple account authentication.

The Zero Day vulnerability could have allowed a hacker to break into an Apple user's account who log into third-party apps like Dropbox, Spotify, Airbnb and Giphy (now acquired by Facebook) and more.<\/body>","next_sibling":[{"msid":78507730,"title":"Apple removes third party audio products from online store","entity_type":"ARTICLE","link":"\/news\/apple-removes-third-party-audio-products-from-online-store\/78507730","category_name":null,"category_name_seo":"telecomnews"}],"related_content":[],"msid":78507770,"entity_type":"ARTICLE","title":"Facebook awards $10K for finding bug in its Android app","synopsis":"A security researcher has found a vulnerability in the download feature of Facebooks Android app that could be exploited to launch remote code execution (RCE) attacks. The social networking giant awarded the researcher $10,000 for finding the bug.","titleseo":"telecomnews\/facebook-awards-10k-for-finding-bug-in-its-android-app","status":"ACTIVE","authors":[],"analytics":{"comments":0,"views":162,"shares":0,"engagementtimems":810000},"Alttitle":{"minfo":""},"artag":"IANS","artdate":"2020-10-06 10:39:19","lastupd":"2020-10-06 10:41:02","breadcrumbTags":["Facebook app","facebook","Google Play","Facebook Android App","Dropbox (service)","Facebook for Android","MVAS\/Apps"],"secinfo":{"seolocation":"telecomnews\/facebook-awards-10k-for-finding-bug-in-its-android-app"}}" data-news_link="//www.iser-br.com/news/facebook-awards-10k-for-finding-bug-in-its-android-app/78507770">