Russian hacker received $40 thousand for hacking Facebook
Facebook has paid Russian programmer Andrey Leonov, a record fee for hacking – $40 thousand, state Fortune.
The vulnerability allowed hackers to execute arbitrary code on the server of social network. According to Leonov, he found the hole by accident. The programmer tested code of the major service. In the process, the appeared pop-up window "Share on Facebook" through which he came to the site of the social network. However, for unknown reasons the picture was not displayed correctly.
Dealing with this problem, Leonov found that Facebook was susceptible to remote code execution through a vulnerability in ImageMagick, a popular tool for photo editing. The social network used the ImageMagick library in photo converter.
The bug allowed hackers to hide malicious code in image files, which they are added to the site. It was originally discovered in April 2016 and has led to the hacking of a large number of sites using ImageMagick. Professionals Facebook tried to eliminate the bug last year, but Leonov found that can bypass the installed protection.
To close the vulnerability, the programmers of Facebook added rules to the firewall web applications – a tool that filters and blocks Internet traffic. However, this measure failed to provide protection.
The programmer reported an error in Facebook 16 Oct 2016. Within three days the specialists of the social network has closed the gap. In early November, the company paid the award Leonov.
I'm glad to be one of those who hacked into Facebook, — wrote he in his blog.
Andrey Leonov 2015 works as a security expert in the company SEMrush. He is also an active user of the blog platform for hackers Hackerone.
Representatives from Facebook confirmed to Fortune that the payment Andrei Leonov was the largest for all time of existence of the program for finding vulnerabilities. Previously, the largest was considered the reward, which was issued by a Brazilian programmer Reginaldo Silva. In January 2014, he received $33 thousand.
Recall that over the past five years Facebook paid hackers more than $5 million for the found vulnerabilities. Remuneration received over 900 people.