A white hat hacker earned $10,000 from Facebook last year for finding a Messenger vulnerability that apparently could have been exploited to randomly obtain other users’ images.
In February 2018, Dzmitry Lukyanenka, a researcher who specializes in the security of Android applications, decided to check how Facebook Messenger for Android handled corrupt GIF files.
Inspired by one of the vulnerabilities discovered back in 2016 in the popular image processing suite ImageMagick, Lukyanenka generated some GIF files to see how they were processed.
He found a way to get the application to crash, but Facebook did not pay a bounty for this DoS flaw. However, the researcher noticed that a test GIF file that he had uploaded to Messenger, which should not have contained an actual image, was displayed as what he described as a “weird image” when the application was opened in a web browser on a laptop.
He played around with the size of the GIF and it got displayed similar to the picture on the screen of old TVs when there was no signal. After several tests, his GIF displayed a distorted version of an actual image.
That was when he realized that he was actually getting data from an image previously uploaded by a different user, which he described as a “random memory exposure” issue.
While Lukyanenka did not prove that the vulnerability could have been reliably exploited to obtain sensitive data, Facebook appears to have determined that it was a serious security hole and decided to award him a $10,000 bounty. The social media giant released a fix less than two weeks after being informed of the bug in late February 2018.
Users have speculated on Reddit on the cause of the vulnerability, and some admitted that it could have had serious security implications.
“He recovered most of somebody else’s imagine. Imagine this was a picture of your children that you were sending privately to family or something. It’s a pretty serious vulnerability, even if it can only be used to extract recently uploaded images,” one Reddit user noted.
Lukyanenka has published a blog post detailing his findings, along with a video showing the exploit in action.
In 2017, Facebook awarded a researcher $40,000 for a remote code execution vulnerability introduced by ImageMagick.
Related: Several Bugs Exploited in Massive Facebook Hack
Related: CSRF Vulnerability in Facebook Earns Researcher $25,000
Related: Facebook Flaws Exposed Friend Lists, Payment Card Data

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Google Patches Third Chrome Zero-Day of 2023
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
Latest News
- Consolidate Vendors and Products for Better Security
- Pharmaceutical Giant Eisai Takes Systems Offline Following Ransomware Attack
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- BBC, British Airways, Novia Scotia Among First Big-Name Victims in Global Supply-Chain Hack
