Facebook Paid $40,000 to Hacker for Finding Remote Code Execution Bug

0

Facebook just paid $40,000 to hacker for finding remote code execution on it’s servers through the widely-reported ImageMagick flaw.

Leonov (@4lemon) described, In his detailed article, He disclosed how he gained access in Facebook’s servers through remote code execution. He has written all his proof-of-concept exploit.

I want to believe that all of you know about ImageMagick and its Tragick. This issue was found in the end of the April, 2016 and due to many processing plugins depends on the ImageMagick library this issue has a huge impact. Since there were evidences that information about this issue was available not only for researchers, who discovered it and ImageMagick’s development team, but also for others, on the 3rd of May, 2016 the information (without PoC) was disclosed. Many of researchers got this low-hanging fruit while discovering applications which were not updated in time. But for some unknowable reason i was not among them. But this was in May:)

Once upon a time on Saturday in October i was testing some big service (not Facebook) when some redirect followed me on Facebook. It was a «Share on Facebook» dialog:

https://www.facebook.com/dialog/feed?app_id=APP_ID&link=link.example.tld&picture=http%3A%2F%2Fattacker.tld%2Fexploit.png&name=news_name&caption=news_caption&description=news_descriotion&redirect_uri=http%3A%2F%2Fwww.facebook.com&ext=1476569763&hash=Aebid3vZFdh4UF1H

You can find more information about his discovery here: http://4lemon.ru/2017-01-17_facebook_imagetragick_remote_code_execution.html


Facebook paid him highest bug bounty yet! even more then the previous vulnerability hunter Reginaldo Silva for remote code execution bug.

Facebook has confirmed the payment and bug. The open source ImageMagick tools are used by scores of web properties to resize, crop, and tweak pictures.

 

 

This article is for educational purpose only, TheHackToday.com is not responsible for negative use of this tutorial.