A researcher claims to have received a $40,000 bounty from Facebook for finding a remote code execution vulnerability introduced by the ImageMagick image processing suite.
The said ImageMagick flaw, tracked as CVE-2016-3714 and dubbed “ImageTragick,” was disclosed in May 2016. The security hole had already been exploited in the wild and security firms soon started seeing an increasing number of attempts to leverage the flaw for reconnaissance and remote access.
Since ImageMagick is used by several image-processing plugins and is present in many web applications, researchers immediately began looking for ImageTragick in the services of major companies, including Yahoo.
Russian security researcher Andrey Leonov discovered recently that Facebook had also used a vulnerable version of ImageMagick. The expert noticed a Facebook request that included a parameter named “picture,” whose value was a URL. The image fetched by this parameter was converted before being displayed to the user.
After attempting to find server-side request forgery (SSRF) and XML external entity (XXE) flaws, Leonov tested the request for the ImageTragick bug. He determined that while the request designed to fetch the image file was not vulnerable, the image converter had used a vulnerable version of the ImageMagick library.
The vulnerability was reported to Facebook on October 16 and it was patched three days later.
Leonov disclosed some technical details about the flaw, but he did not publish the full proof-of-concept (PoC) exploit that he provided to Facebook. The expert said he did not attempt to go too deep with his exploitation attempt in an effort to avoid violating Facebook’s responsible disclosure policy. Nevertheless, it appears Facebook determined that the security hole was critical and awarded the researcher $40,000.
Facebook has confirmed to SecurityWeek that this is the largest payout to date. The company said it had updated the relevant systems and ensured that no other systems made use of the vulnerable code within hours after the report was confirmed. There is no indication that anyone had attempted to exploit the vulnerability before it was patched.
Until now, the largest known bug bounty had been awarded to Reginaldo Silva, who in 2014 earned $33,500 for an XXE vulnerability. Facebook has paid out more than $5 million since the launch of its bug bounty program in 2011.
*Updated with information from Facebook
Related: Facebook Pays Out $7,500 Bounty for Account Hijacking Flaw
Related: Facebook Password Reset Flaw Earns Researcher $15,000
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- FDA Announces New Cybersecurity Requirements for Medical Devices
- Mandiant Investigating 3CX Hack as Evidence Shows Attackers Had Access for Months
- Unpatched Security Flaws Expose Water Pump Controllers to Remote Hacker Attacks
- 3CX Confirms Supply Chain Attack as Researchers Uncover Mac Component
- OpenSSL 1.1.1 Nears End of Life: Security Updates Only Until September 2023
- Google Links More iOS, Android Zero-Day Exploits to Spyware Vendors
- ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation
- Thousands Access Fake DDoS-for-Hire Websites Set Up by UK Police
Latest News
- FDA Announces New Cybersecurity Requirements for Medical Devices
- Report: Chinese State-Sponsored Hacking Group Highly Active
- Votiro Raises $11.5 Million to Prevent File-Borne Threats
- Lumen Technologies Hit by Two Cyberattacks
- Leaked Documents Detail Russia’s Cyberwarfare Tools, Including for OT Attacks
- Mandiant Investigating 3CX Hack as Evidence Shows Attackers Had Access for Months
- Severe Azure Vulnerability Led to Unauthenticated Remote Code Execution
- Anti-Bot Software Firm DataDome Banks $42M Financing
