It’s not common for a security-conscious internet company to leave a well-known vulnerability unpatched for months, but it happens. Facebook paid a US$40,000 reward to a researcher after he warned the company that its servers were vulnerable to an exploit called ImageTragick.
ImageTragick is the name given by the security community to a critical vulnerability that was found in the ImageMagick image processing tool back in May.
ImageMagick is a command-line tool that can resize, convert and optimize images in many formats. Web server libraries like PHP’s imagick, Ruby’s rmagick and paperclip, and Node.js’s imagemagick, used by millions of websites, are based on it.
The ImageMagick developers attempted to patch the ImageTragick flaw after it was privately reported to them, but their fix was incomplete. Soon after, hackers started exploiting them in widespread attacks to compromise web servers.
In October, a security researcher named Andrey Leonov was investigating Facebook’s content sharing mechanism, which generates a short description for external URLs shared by users, including a resized image grabbed from the shared page.
According to the researcher, he was hoping to find a Server-Side Request Forgery (SSRF) or XML External Entity (XXE) vulnerability that he could report to Facebook and get a reward through the company’s bug bounty program.
When he failed to find such flaws, he got the idea to test for the ImageTragick flaw as a last resort, because Facebook was resizing images and there was a chance it was using this tool.
The first exploitation attempt failed because it was intended to execute a command on Facebook’s server that would call out a web page on an external server, Leonov explained in a blog post Tuesday.
The researcher then realized that the server might be behind a firewall that only allows requests to trusted servers. So he repeated his exploit, but this time used a DNS tunneling trick, where data is leaked to an external DNS server through DNS requests.
According to Leonov, this worked and he managed to get a directory listing from Facebook’s server relayed to his own server via DNS requests.
The researcher reported the vulnerability to Facebook on Oct. 16, and the company patched it three days later after confirming it. The company paid Leonov a $40,000 bounty, one of the largest rewards it has paid for a single vulnerability report.
For webmasters, this should serve as a reminder to patch the ImageTragick flaw if they haven’t until now. Security researcher Michal Zalewski published a blog post in May with various mitigation suggestions, including limiting which image formats ImageMagick is allowed to process and sandboxing the tool.
Zalewski believes that ImageMagick users should stop the tool entirely in favor of libraries such as libpng, libjpeg-turbo, and giflib. That’s because there’s a long history of vulnerabilities in ImageMagick, and tests performed with automated fuzzing tools revealed many potentially exploitable bugs.