A security researcher, Andrew Leonov, has been awarded $40,000 on behalf of Facebook for breaching the social network and fixing a remote code execution vulnerability. The researcher succeeded in cracking Facebook by using an ImageMagick flaw.
The ImageMagick Flaw Was Previously Fixed but Deemed Exploitable Once Again
This flaw was already discovered and fixed in 2016, but it needed to be addressed once again. The case goes that the vulnerability was still impacting the website. What Leonov did was establish a way to use it in October in a remote code execution scenario.
Leonov has shared his discovery in a blog post, saying that:
Once upon a time on Saturday in October i was testing some big service (not Facebook) when some redirect followed me on Facebook. It was a «Share on Facebook» dialog.
As visible in the quote above, the researcher stumbled upon the vulnerability by accident and decided to explore it in depth. He also shared he was glad to be the person who exploited it as he didn’t do it for black hat reasons. Nonetheless, he got awarded a bounty in the amount of $40,000, or at least that is what he claims. It appears that this is the biggest bug bounty every awarded. According to The Register, the previous biggest bounty was $33,500 paid to Reginaldo Silva for discovering another remote code execution flaw in Facebook.
More about Remote Code Execution
Shortly said, the ability to trigger arbitrary code execution from one computer on another (mostly via the Internet) is widely known as remote code execution. What enable attackers to execute malicious code and gain control over the compromised system is vulnerabilities such as the ImageMagick flaw in Facebook. Once a system is under the attackers’ control, they can elevate their privileges. That being said, the best way to prevent remote code execution attacks is by never allowing vulnerabilities to be exploited. Unfortunately, remote code execution flaws are very often favored by attackers, and that is what makes keeping your operating system up-to-date crucial.
Is the a malicious impact of the vulnerability? Luckily, no, as the Facebook ImageMagick flaw was privately reported and no user data has been compromised.
Facebook spends millions on bug bounties, as we have previously written. In 2015 alone the social network spent a total of $936,000. The sum was shared out to 210 researchers in exchange for reporting 526 bugs. The average size of a bug bounty was $1,780. Indian researchers were on the top of the ‘bug bounty chain’ in 2014 and 2015.