Jan 21, 2017

How This Hacker Broke Facebook With ImageMagick Flaw And Won $40k Reward


A widely-reported flaw in ImageMagick, an open source tool, was used by a hacker to crack Facebook’s servers with remote code execution. The bug, possibly, allows the attacker to upload malicious images that help in the compromise. Bug hunger Andrew Leonov claims that Facebook issued him $40,000 bug bounty in last October. We’ve contacted Facebook for confirmation and further update.

Category:IT 

A widely-reported flaw in ImageMagick, an open source tool, was used by a hacker to crack Facebook’s servers with remote code execution. The bug, possibly, allows the attacker to upload malicious images that help in the compromise. Bug hunger Andrew Leonov claims that Facebook issued him $40,000 bug bounty in last October. We’ve contacted Facebook for confirmation and further update.

ImageMagick flaw was found in the end of April, 2016. As many processing plugins depend on the ImageMagick library, this issue had a widespread impact. It looks like a security researcher has gained remote code execution on its servers using ImageMagick flaw in recent times. 

Bug hunger Andrew Leonov has detailed a blog post and disclosed how he gained remote code execution on Facebook’s servers. He has written all the details, except the sensitive proof-of-concept exploit.

“For full proof that exploit works I provided Facebook security team with result of cat /proc/version output which is not going to publish here,” Leonov writes.

ImageMagick is an open source tool used by developers and designers to resize, crop, and tweak pictures.

As mentioned above, last year it was found that the tool can be abused to allow the hackers to upload malicious images, which can be used to grant remote code execution. This can further result in data theft, exfiltration, and other types of compromises.

Leonov claims that Facebook has paid him $40,000 for his vulnerability report. As of now, Facebook’s highest bounty figure is $33,500, which was awarded to Reginaldo Silva.

According to Leonov’s post, he filed the initial report on 16 October and his $40,000 reward was issued on 28 Oct.

Fossbytes has contacted Facebook for a confirmation and further update. For further details, read Leonov’s blog post here.

authorarticle: Master3395

image: 

keywords: facebook, imageMagick, flaw

Sponsored Ads:

Sponsored Ads: