Facebook awarded Russian security researcher Andrew Leonov $40,000 for finding a flaw in its photo editing software ImageMagick. The bug, which was originally discovered last year by Facebook’s security team, was temporarily patched up, but Leonov found a flaw in their handywork, making Facebook’s servers vulnerable to “remote code execution.”
While on the web, Leonov was presented with a “share on Facebook” pop-up box and he noticed that the page’s image failed to load properly. After some digging, he found that “Facebook had used a vulnerable ImageMagick library in its image converter,” reports Fortune.
Leonov then found a way to break through Facebook’s firewall with his own code, and afterwards reported the bug to the company. He was awarded the biggest bounty Facebook has ever given out, which he received through bug bounty startup Bugcrowd.
In 2014, Facebook paid Brazilian security researcher Reginaldo Silva $33,500 for reporting a major vulnerability that would have risked users’ login credentials. The bug was related to code used for the authentication system OpenID, which lets people use the same log-in credentials on various platforms. The glitch would have allowed hackers to access files and open network connections on Facebook’s servers. Today, Silva works as an engineer at Facebook.