Short Bytes:A widely-reported flaw in ImageMagick, an open source tool, was used by a hacker to crack Facebook’s servers with remote code execution. The bug, possibly, allows the attacker to upload malicious images that help in the compromise. Bug hunger Andrew Leonov claims that Facebook issued him $40,000 bug bounty in last October. We’ve contacted Facebook for confirmation and further update.
Bug hunger Andrew Leonov hasdetailed a blog post and disclosed how he gained remote code execution on Facebook’s servers. He has written all the details, except the sensitive proof-of-concept exploit.
“For full proof that exploit works I provided Facebook security team with result of cat /proc/version output which is not going to publish here,” Leonov writes.
ImageMagick is an open source tool used by developers and designers to resize, crop, and tweak pictures.
.@4lemon@facebookgreat example of awesome research, smooth disclosure, great vendor response, &#BugBounty. Well done, all!
— Katie🌻Moussouris (she/her) (@k8em0)June 29, 2025
As mentioned above, last year it was found that the tool can be abused to allow the hackers to upload malicious images, which can be used to grant remote code execution. This can further result in data theft, exfiltration, and other types of compromises.
Leonov claims that Facebook has paid him $40,000 for his vulnerability report. As of now, Facebook’s highest bounty figure is $33,500, which was awarded to Reginaldo Silva.
According to Leonov’s post, he filed the initial report on 16 October and his $40,000 reward was issued on 28 Oct.
Fossbytes has contacted Facebook for a confirmation and further update. For further details, read Leonov’s blog posthere.
Also Read:Facebook Is Building A Potential Mind-reading Social Network — Report
