Facebook Hacked Via ImageMagick Exploit

Facebook has paid a bounty to the security researcher Andrew Leonov who discovered a working exploit that uses an ImageMagick flaw to break into the service’s servers.

Facebook Paid a Bounty That Revealed ImageMagick Exploit

A very serious exploit has been identified by the security researcher Andew Leonov. He discovered a way to use an ImageMagick flaw to allow remote code execution on the social network’s servers. He was a bounty of 40 000 US Dollars by the company for releasing the detailed information about the vulnerability to them.

ImageMagick is popular tool and module which is used to create, edit, compose or convert bitmap images. The software is open-source and used by many popular social media services. The incident is related to the so-called “Tragick” exploit which was identified in April 2016. The vulnerability is tracked under the advisory CVE-2016-3714 which states the following:

The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka “ImageTragick.”

Because a number of different image processing plugins depend on the main imageMagick library it is quite difficult to isolate the flaw using an easy-to-use method. This is the probable reason why the social network has not patched the issue yet. The researcher discovered a redirect labeled “Share on Facebook” which used an ImageMagick transformation that is vulnerable. Here is a timeline provided by him:

16 Oct 2016, 03:31 am: Initial report

18 Oct 2016, 05:35 pm: Actual PoC I used requested by security team member Neal

18 Oct 2016, 08:40 pm: I replied by sending a PoC and provided additional info

18 Oct 2016, 10:31 pm: Bug acknowledged by security team member Neal

19 Oct 2016, 12:26 am: Just heads-up by security team member Neal that fix is in the progress

19 Oct 2016, 02:28 am: Neal informed me that vulnerability has been patched

19 Oct 2016, 07:49 am: I replied confirming that the bug was patched and requested disclosure timeline

22 Oct 2016, 03:34 am: Neal answered about disclosure timeline

28 Oct 2016, 03:04 pm: $40k reward issued

04 Nov 2016: Reward paid through Bugcrowd payment system

16 Dec 2016: Disclosure approved

For more information you can read Leonov’s blog post on the matter which gives further insight into the issue.

Was this content helpful?

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *