Bounty Hunter Earns £32,5000 Reward For Catching Facebook Bug


Facebook pays out its highest ever reward for PoC behind ImageMagick security flaw

Bug bounty hunter Andrey Leonov has earned $40,000 (£32,500) from Facebook for disclosing the proof-of-concept (PoC) behind the widely-reported ImageMagick vulnerability.

ImageMagick is a set of open source tools used to edit pictures online. Reports of a vulnerability within the tools first came to light in May 2016, allowing attackers to upload malicious images that could be exploited for various means such as data exfiltration.

Leonov was able to grant remote code execution on Facebook’s servers, potentially allowing him to take over websites running the image manipulation app.


ImageMagick bug

“Once upon a time on Saturday in October i was testing some big service (not Facebook) when some redirect followed me on Facebook. It was a «Share on Facebook» dialog,” he writes.

“If we look closer we can see that a `picture` parameter is a url. But there isn’t image url on page content like mentioned above.”

He discovered the vulnerability after a service redirected him to the social network, which he initially though was a server-side request forgery before digging deeper and discovering the true flaw.

Leonov first provided a report of the bug on 16 October, followed by the PoC two days later. The bug was then acknowledged by Facebook’s security team and the patch released on 19 October.

Facebook recently revealed that it has paid out $5 million (£4 million) to researchers through its bug bounty progamme in the five years that it has been running and a host of other companies also now use such schemes to keep track of any vulnerabilities.

Nintendo, for example, launched a bug bounty programme in December, offering rewards of up to $20,000 for vulnerabilities around its 3DS family of systems, as did the likes of Apple and Kaspersky Lab.

Are you a cyber security expert? Take our quiz and find out!