Security Experts:

Connect with us

Hi, what are you looking for?



Facebook Awards $40,000 Bounty for ImageTragick Hack

A researcher claims to have received a $40,000 bounty from Facebook for finding a remote code execution vulnerability introduced by the ImageMagick image processing suite.

A researcher claims to have received a $40,000 bounty from Facebook for finding a remote code execution vulnerability introduced by the ImageMagick image processing suite.

The said ImageMagick flaw, tracked as CVE-2016-3714 and dubbed “ImageTragick,” was disclosed in May 2016. The security hole had already been exploited in the wild and security firms soon started seeing an increasing number of attempts to leverage the flaw for reconnaissance and remote access.

Since ImageMagick is used by several image-processing plugins and is present in many web applications, researchers immediately began looking for ImageTragick in the services of major companies, including Yahoo.

Russian security researcher Andrey Leonov discovered recently that Facebook had also used a vulnerable version of ImageMagick. The expert noticed a Facebook request that included a parameter named “picture,” whose value was a URL. The image fetched by this parameter was converted before being displayed to the user.

After attempting to find server-side request forgery (SSRF) and XML external entity (XXE) flaws, Leonov tested the request for the ImageTragick bug. He determined that while the request designed to fetch the image file was not vulnerable, the image converter had used a vulnerable version of the ImageMagick library.

The vulnerability was reported to Facebook on October 16 and it was patched three days later.

Leonov disclosed some technical details about the flaw, but he did not publish the full proof-of-concept (PoC) exploit that he provided to Facebook. The expert said he did not attempt to go too deep with his exploitation attempt in an effort to avoid violating Facebook’s responsible disclosure policy. Nevertheless, it appears Facebook determined that the security hole was critical and awarded the researcher $40,000.

Facebook has confirmed to SecurityWeek that this is the largest payout to date. The company said it had updated the relevant systems and ensured that no other systems made use of the vulnerable code within hours after the report was confirmed. There is no indication that anyone had attempted to exploit the vulnerability before it was patched.

Until now, the largest known bug bounty had been awarded to Reginaldo Silva, who in 2014 earned $33,500 for an XXE vulnerabilityFacebook has paid out more than $5 million since the launch of its bug bounty program in 2011.

*Updated with information from Facebook

Related: Facebook Pays Out $7,500 Bounty for Account Hijacking Flaw

Related: Facebook Password Reset Flaw Earns Researcher $15,000

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.