- Oct 23, 2012
- 12,527
Facebook has allegedly paid a $40,000 bounty to Andrew Leonov, a security researcher who managed to breach the social networking site using a remote code execution bug he discovered and privately reported to the company.
Leonov explained in a post that he cracked the social network using an ImageMagick flaw which was actually discovered and patched last year. The vulnerability, however, still impacted Facebook, and the security expert figured out a way to use it as part of a remote code execution exploit in October.
Leonov explained in a post that he cracked the social network using an ImageMagick flaw which was actually discovered and patched last year. The vulnerability, however, still impacted Facebook, and the security expert figured out a way to use it as part of a remote code execution exploit in October.
In a timeline posted on his blog, Leonov says he reported the flaw on October 16, and after further investigation, the company patched it only a few days later.
$40,000 bounty for the researcher
The hacker says he discovered the vulnerability accidentally after being redirected by another service to Facebook, but decided to look into it to determine if the ImageMagick flaw was patched or not.
“Once upon a time on Saturday in October i was testing some big service (not Facebook) when some redirect followed me on Facebook. It was a «Share on Facebook» dialog,” he says. “I am glad to be the one of those who broke the Facebook.”
Since the vulnerability was privately reported, no user data was put at risk, so rest assured because your accounts are all safe, and so are your cat and food photos.
The hacker claims he received a $40,000 bounty from the social network, and this seems to be the biggest financial reward the company has ever paid to a researcher. As The Reg puts it, the previous highest paid bounty was $33,500 for Reginaldo Silva who also discovered a remote code execution bug.
Facebook hasn’t yet issued a statement regarding this bug, but given that a patch has already been released, there’s not much to say, except that everyone is safe and the exploit no longer works.