This article is more than 1 year old
Hacker cracks Facebook with remote code execution bug
ImageMagick exploit earns chap US$40k bug bounty
Facebook has paid US$40,000 to vulnerability hunter Andrew Leonov for disclosing how the hacker gained remote code execution on its servers through the widely-reported ImageMagick flaw.
Leonov (@4lemon) described how he discovered the so-called ImageTragick flaw still impacting Facebook in a post that detailed all but the most sensitive proof-of-concept exploit which he provided as evidence to the social media giant.
He says Facebook paid out US$40,000 for the severe vulnerability report.
Facebook's highest bounty pay out as of January 2014 stood at US$33,500 to vulnerability hunter Reginaldo Silva for a remote code execution bug.
Facebook has been contacted to confirm the bug and payment.
The open source ImageMagick tools are used by scores of web properties to resize, crop, and tweak pictures.
Project staff reported in May that the tools could be abused to allow attackers to upload malicious images that grant remote code execution from where various further compromise, data exfiltration, and lateral movement may be possible.
Web property owners pounced to patch the bug within hours, a feat that could prove difficult for entities with enormous code bases such as Facebook.
Leonov found the flaw after a service redirected him to Facebook, which he suspected initially was a server side request forgery.
He says he reported the vulnerability to Facebook through its bug bounty scheme in October with a fix pushed less than three days later.
As of October 2016, Facebook had paid out US$5 million in bug bounties since 2011. ®