A hacker was able to use a previously discovered ImageMagik flaw to hack Facebook with remote code execution exploit. The bug was so severe that Facebook paid a $40,000 bounty to Andrew Leonov who managed to breach the social networking site using a remote code execution bug he discovered and privately reported it to the company.
— Andrew Leonov (@4lemon) 17. siječnja 2017.
Leonov who is a security researcher was able to hack Facebook through an ImageMagick flaw which was actually discovered and patched last year. The vulnerability, however, still impacted Facebook, and Leonov figured out a way to use it as part of a remote code execution exploit in October.
ImageMagick is an open source Image editing tool which is used by millions of websites to resize, crop, and tweak pictures. In the month of May, a severe bug was detected which allowed hackers to upload malicious images that grant remote code execution to the website from where various further compromise, data exfiltration, and lateral movement may be possible. ImageMagick had quickly patched the flaw at its end but there are several websites which carry the bug and can be remotely hacked by using the ImageMagick flaw. Leonov found out that one of such websites which did not patch the ImageMagick flaw was Facebook and rest is history.
Leonov says that he discovered the Facebook flaw accidentally when he was redirected from some other website to Facebook. He decided to check Facebook’s vulnerability to the ImageMagick flaw and he found out that he could easily hack Facebook using the bug.
“Once upon a time on Saturday in October i (sic!) was testing some big service (not Facebook) when some redirect followed me on Facebook. It was a «Share on Facebook» dialog,” he says. “I am glad to be the one of those who broke the Facebook.”
Leonov immediately informed to Facebook security team on 16th October. Facebook acknowledge the severeness of the bug and patched it immediately.
Facebook paid Leonov $40,000 for this bug which is the highest amount paid by Facebook for any bug. The previous highest paid bounty was $33,500 for Reginaldo Silva who also discovered a similar remote code execution bug.
Facebook hasn’t yet commented on either the bug or the bug bounty paid to Leonov.