Menu
Failure to patch known ImageMagick flaw for months costs Facebook $40k

Failure to patch known ImageMagick flaw for months costs Facebook $40k

A researcher found that Facebook was still vulnerable to the ImageTragick exploit months after it was disclosed

It's not common for a security-conscious internet company to leave a well-known vulnerability unpatched for months, but it happens. Facebook paid a US$40,000 reward to a researcher after he warned the company that its servers were vulnerable to an exploit called ImageTragick.

ImageTragick is the name given by the security community to a critical vulnerability that was found in the ImageMagick image processing tool back in May.

ImageMagick is a command-line tool that can resize, convert and optimize images in many formats. Web server libraries like PHP’s imagick, Ruby’s rmagick and paperclip, and Node.js’s imagemagick, used by millions of websites, are based on it.

The ImageMagick developers attempted to patch the ImageTragick flaw after it was privately reported to them, but their fix was incomplete. Soon after, hackers started exploiting them in widespread attacks to compromise web servers.

In October, a security researcher named Andrey Leonov was investigating Facebook's content sharing mechanism, which generates a short description for external URLs shared by users, including a resized image grabbed from the shared page.

According to the researcher, he was hoping to find a Server-Side Request Forgery (SSRF) or XML External Entity (XXE) vulnerability that he could report to Facebook and get a reward through the company's bug bounty program.

When he failed to find such flaws, he got the idea to test for the ImageTragick flaw as a last resort, because Facebook was resizing images and there was a chance it was using this tool.

The first exploitation attempt failed because it was intended to execute a command on Facebook's server that would call out a web page on an external server, Leonov explained in a blog post Tuesday.

The researcher then realized that the server might be behind a firewall that only allows requests to trusted servers. So he repeated his exploit, but this time used a DNS tunneling trick, where data is leaked to an external DNS server through DNS requests.

According to Leonov, this worked and he managed to get a directory listing from Facebook's server relayed to his own server via DNS requests.

The researcher reported the vulnerability to Facebook on Oct. 16, and the company patched it three days later after confirming it. The company paid Leonov a $40,000 bounty, one of the largest rewards it has paid for a single vulnerability report.

For webmasters, this should serve as a reminder to patch the ImageTragick flaw if they haven't until now. Security researcher Michal Zalewski published a blog post in May with various mitigation suggestions, including limiting which image formats ImageMagick is allowed to process and sandboxing the tool.

Zalewski believes that ImageMagick users should stop the tool entirely in favor of libraries such as libpng, libjpeg-turbo, and giflib. That's because there's a long history of vulnerabilities in ImageMagick, and tests performed with automated fuzzing tools revealed many potentially exploitable bugs.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

EDGE 2018: Kiwis kick back with Super Rugby before NZ session

EDGE 2018: Kiwis kick back with Super Rugby before NZ session

New Zealanders kick-started EDGE 2018 with a bout of Super Rugby before a dedicated New Zealand session, in front of more than 50 partners, vendors and distributors on Hamilton Island.​

EDGE 2018: Kiwis kick back with Super Rugby before NZ session
EDGE 2018: Kiwis assess key customer priorities through NZ research

EDGE 2018: Kiwis assess key customer priorities through NZ research

EDGE 2018 kicked off with a dedicated New Zealand track, highlighting the key customer priorities across the local market, in association with Dell EMC. Delivered through EDGE Research - leveraging Kiwi data through Tech Research Asia - more than 50 partners, vendors and distributors combined during an interactive session to assess the changing spending patterns of the end-user and the subsequent impact to the channel.

EDGE 2018: Kiwis assess key customer priorities through NZ research
Show Comments