Connect with us

Hi, what are you looking for?



Facebook Awards $40,000 Bounty for ImageTragick Hack

A researcher claims to have received a $40,000 bounty from Facebook for finding a remote code execution vulnerability introduced by the ImageMagick image processing suite.

A researcher claims to have received a $40,000 bounty from Facebook for finding a remote code execution vulnerability introduced by the ImageMagick image processing suite.

The said ImageMagick flaw, tracked as CVE-2016-3714 and dubbed “ImageTragick,” was disclosed in May 2016. The security hole had already been exploited in the wild and security firms soon started seeing an increasing number of attempts to leverage the flaw for reconnaissance and remote access.

Since ImageMagick is used by several image-processing plugins and is present in many web applications, researchers immediately began looking for ImageTragick in the services of major companies, including Yahoo.

Russian security researcher Andrey Leonov discovered recently that Facebook had also used a vulnerable version of ImageMagick. The expert noticed a Facebook request that included a parameter named “picture,” whose value was a URL. The image fetched by this parameter was converted before being displayed to the user.

After attempting to find server-side request forgery (SSRF) and XML external entity (XXE) flaws, Leonov tested the request for the ImageTragick bug. He determined that while the request designed to fetch the image file was not vulnerable, the image converter had used a vulnerable version of the ImageMagick library.

The vulnerability was reported to Facebook on October 16 and it was patched three days later.

Leonov disclosed some technical details about the flaw, but he did not publish the full proof-of-concept (PoC) exploit that he provided to Facebook. The expert said he did not attempt to go too deep with his exploitation attempt in an effort to avoid violating Facebook’s responsible disclosure policy. Nevertheless, it appears Facebook determined that the security hole was critical and awarded the researcher $40,000.

Facebook has confirmed to SecurityWeek that this is the largest payout to date. The company said it had updated the relevant systems and ensured that no other systems made use of the vulnerable code within hours after the report was confirmed. There is no indication that anyone had attempted to exploit the vulnerability before it was patched.

Advertisement. Scroll to continue reading.

Until now, the largest known bug bounty had been awarded to Reginaldo Silva, who in 2014 earned $33,500 for an XXE vulnerabilityFacebook has paid out more than $5 million since the launch of its bug bounty program in 2011.

*Updated with information from Facebook

Related: Facebook Pays Out $7,500 Bounty for Account Hijacking Flaw

Related: Facebook Password Reset Flaw Earns Researcher $15,000

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.