Hacker receives a $10k USD bounty for reporting a GIF attack in Facebook Messenger

The flaw could have been exploited to obtain random images stored on a user’s device

According to network security experts from the International Institute of Cyber Security, an ethical hacker received a $10k USD bounty from Facebook Vulnerability Bounty Program for reporting a vulnerability in Facebook Messenger that allowed access to images of the victims.

Dmitry Lukyanenka, a researcher specializing in security measures for Android applications, submitted Facebook Messenger to a series of security tests to analyze how this service manages malicious GIF files.

Based on the vulnerabilities discovered in ImageMagick in 2016, the network security expert created some GIF files to find out how they were processed in Messenger. The expert found a way to generate a denial of service in Messenger, but Facebook gave him the reward for the report of another error. The expert discovered that a GIF he had loaded showed a strange image, when it was not supposed to show any image, at the time that the application was started in a Web browser or laptop.

The network security expert tried to manipulate the image a bit and it was shown as a TV screen with no signal. After some additional tests, GIF showed a distorted image of the actual image. Thus, the expert discovered that what he was showing was data from an image previously loaded by a different user, in other words, a random memory exposure problem.

Although the expert could not prove that the vulnerability could have been exploited to obtain private images of a user, the Facebook security teams considered that it was a critical error and awarded a $10k USD bounty. The social network corrected the flaw a few days later.

However, some users consider that this failure may have generated critical security issues: “The vulnerability could have exposed users and their families, even if recent and random images could only be leaked,” published Some users on the Reddit platform.