Facebook awards $10K bounty for bug discovery

Facebook has awarded a security researcher a $10,000 bounty for the discovery of a GIF processing vulnerability in Messenger.

Before a recent update, the bug could have been abused to cause the Facebook server to leak data from memory through a malformed GIF image, with the potential for an attacker to exfiltrate sensitive information.

Android security researcher Dzmitry Lukyanenka found the issue after creating his own GIF image file with no body content. Once uploaded, the Facebook server attempts to parse the GIF but, as there is no content there, information from a previously buffered data seeps through – possibly from images belonging to other users.

Lukyanenka submitted the payloads via Messenger for Android, but the exploit was only visible in the Messenger web application.

According to his write-up of the bug, Lukyankena was inspired by a similar vulnerability found last year in open source image converter Imagemagick, where a manipulated image file also led to server memory leakage.

Lukyanenka reported the issue to Facebook on February 26, and the issue was fixed on March 9.

The infamous Heartbleed bug in the OpenSSL cryptographic software library is another example of a server memory disclosure vulnerability. The bug left half a million websites at risk of attack, as reported by Netcraft in 2014.

RELATED Bug Bounty Radar // Feb 2019