Connect with us

Hi, what are you looking for?



GIF Attack on Facebook Messenger Earned Hacker $10,000

A white hat hacker earned $10,000 from Facebook last year for finding a Messenger vulnerability that apparently could have been exploited to randomly obtain other users’ images.

A white hat hacker earned $10,000 from Facebook last year for finding a Messenger vulnerability that apparently could have been exploited to randomly obtain other users’ images.

In February 2018, Dzmitry Lukyanenka, a researcher who specializes in the security of Android applications, decided to check how Facebook Messenger for Android handled corrupt GIF files.

Inspired by one of the vulnerabilities discovered back in 2016 in the popular image processing suite ImageMagick, Lukyanenka generated some GIF files to see how they were processed.

He found a way to get the application to crash, but Facebook did not pay a bounty for this DoS flaw. However, the researcher noticed that a test GIF file that he had uploaded to Messenger, which should not have contained an actual image, was displayed as what he described as a “weird image” when the application was opened in a web browser on a laptop.

He played around with the size of the GIF and it got displayed similar to the picture on the screen of old TVs when there was no signal. After several tests, his GIF displayed a distorted version of an actual image.

Image obtained by exploiting GIF vulnerability

That was when he realized that he was actually getting data from an image previously uploaded by a different user, which he described as a “random memory exposure” issue.

While Lukyanenka did not prove that the vulnerability could have been reliably exploited to obtain sensitive data, Facebook appears to have determined that it was a serious security hole and decided to award him a $10,000 bounty. The social media giant released a fix less than two weeks after being informed of the bug in late February 2018.

Users have speculated on Reddit on the cause of the vulnerability, and some admitted that it could have had serious security implications.

Advertisement. Scroll to continue reading.

“He recovered most of somebody else’s imagine. Imagine this was a picture of your children that you were sending privately to family or something. It’s a pretty serious vulnerability, even if it can only be used to extract recently uploaded images,” one Reddit user noted.

Lukyanenka has published a blog post detailing his findings, along with a video showing the exploit in action.

In 2017, Facebook awarded a researcher $40,000 for a remote code execution vulnerability introduced by ImageMagick.

Related: Several Bugs Exploited in Massive Facebook Hack

Related: CSRF Vulnerability in Facebook Earns Researcher $25,000

Related: Facebook Flaws Exposed Friend Lists, Payment Card Data

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.