Home

Jan 21, 2017

How This Hacker Broke Facebook With ImageMagick Flaw And Won $40k Reward


A widely-reported flaw in ImageMagick, an open source tool, was used by a hacker to crack Facebook’s servers with remote code execution. The bug, possibly, allows the attacker to upload malicious images that help in the compromise. Bug hunger Andrew Leonov claims that Facebook issued him $40,000 bug bounty in last October. We’ve contacted Facebook for confirmation and further update.

Category:IT 

A widely-reported flaw in ImageMagick, an open source tool, was used by a hacker to crack Facebook’s servers with remote code execution. The bug, possibly, allows the attacker to upload malicious images that help in the compromise. Bug hunger Andrew Leonov claims that Facebook issued him $40,000 bug bounty in last October. We’ve contacted Facebook for confirmation and further update.

ImageMagick flaw was found in the end of April, 2016. As many processing plugins depend on the ImageMagick library, this issue had a widespread impact. It looks like a security researcher has gained remote code execution on its servers using ImageMagick flaw in recent times. 

Bug hunger Andrew Leonov has detailed a blog post and disclosed how he gained remote code execution on Facebook’s servers. He has written all the details, except the sensitive proof-of-concept exploit.

“For full proof that exploit works I provided Facebook security team with result of cat /proc/version output which is not going to publish here,” Leonov writes.

ImageMagick is an open source tool used by developers and designers to resize, crop, and tweak pictures.

As mentioned above, last year it was found that the tool can be abused to allow the hackers to upload malicious images, which can be used to grant remote code execution. This can further result in data theft, exfiltration, and other types of compromises.

Leonov claims that Facebook has paid him $40,000 for his vulnerability report. As of now, Facebook’s highest bounty figure is $33,500, which was awarded to Reginaldo Silva.

According to Leonov’s post, he filed the initial report on 16 October and his $40,000 reward was issued on 28 Oct.

Fossbytes has contacted Facebook for a confirmation and further update. For further details, read Leonov’s blog post here.

authorarticle: Master3395

image: 

keywords: facebook, imageMagick, flaw

Previous Article
Next Article
Discord

Page 1 of 481  >  >>

Gigantic Microsoft blister: 250 million inquiries were searchable

mslogo_1200x720.jpg

Jan 23, 2020 | Category: Microsoft | Comments

Email addresses and IP addresses visible.

read more…

Secret lab for $ 90 million hacking iPhones

sikkerhet_1280x720.jpg

Jan 22, 2020 | Category: Apple | Comments

This is how they hide the mobiles.

read more…

Is Opera's reputation for fall?

pera.jpg

Jan 21, 2020 | Category: General | Comments

Lending money in Asia and Africa. Interest rates? 878 percent.

read more…

Page 1 of 481  >  >>