Geeks for your information News Privacy & Security News v
GIF Attack on Facebook Messenger Earned Hacker $10,000
GIF Attack on Facebook Messenger Earned Hacker $10,000
NcoII Offline
Junior Member
**
Posts: 24
Threads: 9
Thanks Received: 27 in 15 posts
Thanks Given: 2
Thanks Received: 27 in 15 posts
Thanks Given: 2
Joined: 26 December 18
#1
12 March 19, 05:35
Quote:A white hat hacker earned $10,000 from Facebook last year for finding a Messenger vulnerability that apparently could have been exploited to randomly obtain other users’ images.

In February 2018, Dzmitry Lukyanenka, a researcher who specializes in the security of Android applications, decided to check how Facebook Messenger for Android handled corrupt GIF files.

Inspired by one of the vulnerabilities discovered back in 2016 in the popular image processing suite ImageMagick, Lukyanenka generated some GIF files to see how they were processed.

He found a way to get the application to crash, but Facebook did not pay a bounty for this DoS flaw. However, the researcher noticed that a test GIF file that he had uploaded to Messenger, which should not have contained an actual image, was displayed as what he described as a “weird image” when the application was opened in a web browser on a laptop.

He played around with the size of the GIF and it got displayed similar to the picture on the screen of old TVs when there was no signal. After several tests, his GIF displayed a distorted version of an actual image.

That was when he realized that he was actually getting data from an image previously uploaded by a different user, which he described as a “random memory exposure” issue.

While Lukyanenka did not prove that the vulnerability could have been reliably exploited to obtain sensitive data, Facebook appears to have determined that it was a serious security hole and decided to award him a $10,000 bounty. The social media giant released a fix less than two weeks after being informed of the bug in late February 2018.

Users have speculated on Reddit on the cause of the vulnerability, and some admitted that it could have had serious security implications.

“He recovered most of somebody else's imagine. Imagine this was a picture of your children that you were sending privately to family or something. It's a pretty serious vulnerability, even if it can only be used to extract recently uploaded images,” one Reddit user noted.

Lukyanenka has published a blog post detailing his findings, along with a video showing the exploit in action.
Source
[-] The following 1 user says Thank You to NcoII for this post:
  • harlan4096
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
Mozilla Firefox Browser 134.0
Mozilla Firefox Br...harlan4096 — 11:45
uBOLite_2025.1.7.268
uBOLite_2025.1.7.2...harlan4096 — 11:43
NVIDIA CES 2025 NEWS
NVIDIA announces DLS...harlan4096 — 08:10
NVIDIA CES 2025 NEWS
NVIDIA launches GeFo...harlan4096 — 08:10
NVIDIA CES 2025 NEWS
Watch NVIDIA CES 202...harlan4096 — 08:09

[-]
Birthdays
Today's Birthdays
avatar (44)StephenViedy
Upcoming Birthdays
avatar (49)theoldevext
avatar (44)algratCep
avatar (49)Qlaude2Sap
avatar (43)tabthinLem
avatar (50)Josepharelf
avatar (39)kholukrefar
avatar (48)Lauraimike
avatar (50)WilsonWag
avatar (48)StevenPiole
avatar (39)zetssToomy
avatar (46)GornOr
avatar (49)Jamesmog
avatar (37)opeqyrav
avatar (38)theatidere
avatar (47)denisEquivok
avatar (35)mikebrian01
avatar (37)ivanoFloom
avatar (40)uxegihor

[-]
Online Staff
There are no staff members currently online.

>