Security Experts:

Facebook Awards $40,000 Bounty for ImageTragick Hack

A researcher claims to have received a $40,000 bounty from Facebook for finding a remote code execution vulnerability introduced by the ImageMagick image processing suite.

The said ImageMagick flaw, tracked as CVE-2016-3714 and dubbed “ImageTragick,” was disclosed in May 2016. The security hole had already been exploited in the wild and security firms soon started seeing an increasing number of attempts to leverage the flaw for reconnaissance and remote access.

Since ImageMagick is used by several image-processing plugins and is present in many web applications, researchers immediately began looking for ImageTragick in the services of major companies, including Yahoo.

Russian security researcher Andrey Leonov discovered recently that Facebook had also used a vulnerable version of ImageMagick. The expert noticed a Facebook request that included a parameter named “picture,” whose value was a URL. The image fetched by this parameter was converted before being displayed to the user.

After attempting to find server-side request forgery (SSRF) and XML external entity (XXE) flaws, Leonov tested the request for the ImageTragick bug. He determined that while the request designed to fetch the image file was not vulnerable, the image converter had used a vulnerable version of the ImageMagick library.

The vulnerability was reported to Facebook on October 16 and it was patched three days later.

Leonov disclosed some technical details about the flaw, but he did not publish the full proof-of-concept (PoC) exploit that he provided to Facebook. The expert said he did not attempt to go too deep with his exploitation attempt in an effort to avoid violating Facebook’s responsible disclosure policy. Nevertheless, it appears Facebook determined that the security hole was critical and awarded the researcher $40,000.

Facebook has confirmed to SecurityWeek that this is the largest payout to date. The company said it had updated the relevant systems and ensured that no other systems made use of the vulnerable code within hours after the report was confirmed. There is no indication that anyone had attempted to exploit the vulnerability before it was patched.

Until now, the largest known bug bounty had been awarded to Reginaldo Silva, who in 2014 earned $33,500 for an XXE vulnerabilityFacebook has paid out more than $5 million since the launch of its bug bounty program in 2011.

*Updated with information from Facebook

Related: Facebook Pays Out $7,500 Bounty for Account Hijacking Flaw

Related: Facebook Password Reset Flaw Earns Researcher $15,000

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.