The neglected bug that can infect All Facebook users who pay for leads ads.

Hesham Watany
Apr 23, 2019 · 3 min read
Photo by Con Karampelas on Unsplash

If you are paying for lead generation form in Facebook beware, your computer could be infected, your leads could be hacked.

When you make an ad that asks the Facebook user to put his contact information to call him later, you regularly check the new leads by downloading the excel/CSV file.

This file can be easily infected by any user by just entering any spreadsheet formula in the form which can execute any command in your sheet and also in your computer.

The funny part is if any user enters any formula that open cmd (windows command line) or any other program the file that you downloaded from facebook is considered infected and may contain a virus.
Example of opening calculator using spreadsheet formula
(=cmd|’ /C calc’!A0 ).

By this ability any user can run commands in your computers, can download files to your computers and run it.

You can avoid it by upgrading your antivirus and your operating system regularly, or just don’t download the leads that you paid for.

Example of lead generation form that we use every day

Video Proof of concept:

Facebook Lead Form Ads Formula CSV Injection by Hesham Watany

Technical stuff….

This bug considered as a security bug in the OWASP top 10 critical risks.

I have tried to report it to the security team, but they didn’t find it a security problem from their side.

…..and they replied

Then I tried to explain more how dangerous it is

…. they still see that this is not a security problem.

The Facebook security team is always working on making the platform safer for all of us.

Maybe they are wrong, maybe I am, but this security bug could really harm users computers.

However till they fix it, make sure that your computer and your leads are safe.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store