Facebook has paid a bounty to the security researcher Andrew Leonov who discovered a working exploit that uses an ImageMagick flaw to break into the service’s servers.
Facebook Paid a Bounty That Revealed ImageMagick Exploit
A very serious exploit has been identified by the security researcher Andew Leonov. He discovered a way to use an ImageMagick flaw to allow remote code execution on the social network’s servers. He was a bounty of 40 000 US Dollars by the company for releasing the detailed information about the vulnerability to them.
ImageMagick is popular tool and module which is used to create, edit, compose or convert bitmap images. The software is open-source and used by many popular social media services. The incident is related to the so-called “Tragick” exploit which was identified in April 2016. The vulnerability is tracked under the advisory CVE-2016-3714 which states the following:
The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka “ImageTragick.”
Because a number of different image processing plugins depend on the main imageMagick library it is quite difficult to isolate the flaw using an easy-to-use method. This is the probable reason why the social network has not patched the issue yet. The researcher discovered a redirect labeled “Share on Facebook” which used an ImageMagick transformation that is vulnerable. Here is a timeline provided by him:
16 Oct 2016, 03:31 am: Initial report
18 Oct 2016, 05:35 pm: Actual PoC I used requested by security team member Neal
18 Oct 2016, 08:40 pm: I replied by sending a PoC and provided additional info
18 Oct 2016, 10:31 pm: Bug acknowledged by security team member Neal
19 Oct 2016, 12:26 am: Just heads-up by security team member Neal that fix is in the progress
19 Oct 2016, 02:28 am: Neal informed me that vulnerability has been patched
19 Oct 2016, 07:49 am: I replied confirming that the bug was patched and requested disclosure timeline
22 Oct 2016, 03:34 am: Neal answered about disclosure timeline
28 Oct 2016, 03:04 pm: $40k reward issued
04 Nov 2016: Reward paid through Bugcrowd payment system
16 Dec 2016: Disclosure approved
For more information you can read Leonov’s blog post on the matter which gives further insight into the issue.