The neglected bug that can infect All Facebook users who pay for leads ads.

Photo by Con Karampelas on Unsplash

If you are paying for lead generation form in Facebook beware, your computer could be infected, your leads could be hacked.

When you make an ad that asks the Facebook user to put his contact information to call him later, you regularly check the new leads by downloading the excel/CSV file.

This file can be easily infected by any user by just entering any spreadsheet formula in the form which can execute any command in your sheet and also in your computer.

The funny part is if any user enters any formula that open cmd (windows command line) or any other program the file that you downloaded from facebook is considered infected and may contain a virus.
Example of opening calculator using spreadsheet formula
(=cmd|’ /C calc’!A0 ).

By this ability any user can run commands in your computers, can download files to your computers and run it.

You can avoid it by upgrading your antivirus and your operating system regularly, or just don’t download the leads that you paid for.

Example of lead generation form that we use every day

Video Proof of concept:

Facebook Lead Form Ads Formula CSV Injection by Hesham Watany

Technical stuff….

This bug considered as a security bug in the OWASP top 10 critical risks.

I have tried to report it to the security team, but they didn’t find it a security problem from their side.

…..and they replied

Then I tried to explain more how dangerous it is

…. they still see that this is not a security problem.

The Facebook security team is always working on making the platform safer for all of us.

Maybe they are wrong, maybe I am, but this security bug could really harm users computers.

However till they fix it, make sure that your computer and your leads are safe.