Last May, Ars reported that a critical vulnerability in a widely used image-processing application left a huge number of websites open to attacks that allowed hackers to execute malicious code on the underlying servers. More than five months later, Facebook paid a $40,000 bounty after discovering it was among those at risk.
On Tuesday, researcher Andrey Leonov, said he was able to exploit the vulnerability in the ImageMagick application by using a tunneling technique based on the domain name system that bypassed Facebook firewalls. The firewalls had successfully protected against his earlier exploit attempts. Large numbers of websites use ImageMagick to quickly resize images uploaded by users.
“I am glad to be the one of those who broke the Facebook,” Leonov wrote in a blog post that gave a blow-by-blow account of how he exploited the ImageMagick vulnerability. Two days after the researcher privately shared the exploit with Facebook security personnel, they patched their systems. Ten days after that, they paid Leonov $40,000, one of the biggest bounties Facebook has ever paid.