Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Facebook Awards $40,000 Bounty for ImageTragick Hack

A researcher claims to have received a $40,000 bounty from Facebook for finding a remote code execution vulnerability introduced by the ImageMagick image processing suite.

A researcher claims to have received a $40,000 bounty from Facebook for finding a remote code execution vulnerability introduced by the ImageMagick image processing suite.

The said ImageMagick flaw, tracked as CVE-2016-3714 and dubbed “ImageTragick,” was disclosed in May 2016. The security hole had already been exploited in the wild and security firms soon started seeing an increasing number of attempts to leverage the flaw for reconnaissance and remote access.

Since ImageMagick is used by several image-processing plugins and is present in many web applications, researchers immediately began looking for ImageTragick in the services of major companies, including Yahoo.

Russian security researcher Andrey Leonov discovered recently that Facebook had also used a vulnerable version of ImageMagick. The expert noticed a Facebook request that included a parameter named “picture,” whose value was a URL. The image fetched by this parameter was converted before being displayed to the user.

After attempting to find server-side request forgery (SSRF) and XML external entity (XXE) flaws, Leonov tested the request for the ImageTragick bug. He determined that while the request designed to fetch the image file was not vulnerable, the image converter had used a vulnerable version of the ImageMagick library.

The vulnerability was reported to Facebook on October 16 and it was patched three days later.

Advertisement. Scroll to continue reading.

Leonov disclosed some technical details about the flaw, but he did not publish the full proof-of-concept (PoC) exploit that he provided to Facebook. The expert said he did not attempt to go too deep with his exploitation attempt in an effort to avoid violating Facebook’s responsible disclosure policy. Nevertheless, it appears Facebook determined that the security hole was critical and awarded the researcher $40,000.

Facebook has confirmed to SecurityWeek that this is the largest payout to date. The company said it had updated the relevant systems and ensured that no other systems made use of the vulnerable code within hours after the report was confirmed. There is no indication that anyone had attempted to exploit the vulnerability before it was patched.

Until now, the largest known bug bounty had been awarded to Reginaldo Silva, who in 2014 earned $33,500 for an XXE vulnerabilityFacebook has paid out more than $5 million since the launch of its bug bounty program in 2011.

*Updated with information from Facebook

Related: Facebook Pays Out $7,500 Bounty for Account Hijacking Flaw

Related: Facebook Password Reset Flaw Earns Researcher $15,000

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.