back to article Hacker cracks Facebook with remote code execution bug

Facebook has paid US$40,000 to vulnerability hunter Andrew Leonov for disclosing how the hacker gained remote code execution on its servers through the widely-reported ImageMagick flaw. Leonov (@4lemon) described how he discovered the so-called ImageTragick flaw still impacting Facebook in a post that detailed all but the most …

  1. Anonymous Coward
    Anonymous Coward

    Found a vulnerability

    Facebook can harvest all your data and sell it. Where do I collect my bounty?

    1. Adam JC

      Re: Found a vulnerability

      Oh didn't you know? That's a feature.

    2. Anonymous Coward
      Anonymous Coward

      Re: Found a vulnerability

      It can only collect what you willfully place on it.

      You can harvest all of my cat photos and sarcastic comments on "friends" from school who I avoided the instant I left.

      I've still no idea why so many people (my wife included) spend so much time/effort on it.

      1. Anonymous Coward
        Anonymous Coward

        Re: Found a vulnerability

        What about all the web beacons that collect 80% of your web browsing history, unless you specifically install a addon to block those connections?

      2. Robert Helpmann?? Silver badge
        Big Brother

        Re: Found a vulnerability

        It can only collect what you willfully place on it.

        ...

        I've still no idea why so many people (my wife included) spend so much time/effort on it

        So your last statement is a confirmation of the first in that you just don't get it? Fair enough. It's like this: FB promises hours of free mindless entertainment and encourages users to give up everything about themselves under the guise of allowing them to keep up with their friends, to confirm their pre-existing biases and to look at memes. They then take all the information they harvest, with or without their users' knowledge, and sell it over and over. People are good with this because mindless is mindless, after all. It's easy to take advantage of folks if they think they are getting something for free. If there is nothing physical for them to see being taken from them, they will never notice the loss.

  2. LDS Silver badge

    Bugs of Greed...

    Billions around, and they exploit another open source library without even giving a look to the code...

  3. Anonymous Coward
    Anonymous Coward

    Can't believe they still use it...

    I thought Facebook was all about efficiency and scaling and they're still using ImageMagick? It's slow and uses way too much memory.

    1. Hans 1 Silver badge

      Re: Can't believe they still use it...

      @ac

      Easy target!

      Please, enlighten us, what do you use ? Hoembrew?

      1. Anonymous Coward
        Anonymous Coward

        Re: Can't believe they still use it...

        vips, which instead of using 500MB+ of memory and often leaving working files of 2GB behind, just gets on with it in a few MB of memory and less CPU cycles.

      2. gerdesj Silver badge

        Re: Can't believe they still use it...

        http://www.vips.ecs.soton.ac.uk/index.php?title=Speed_and_Memory_Use

  4. John 104

    It can only collect what you willfully place on it.

    Or perhaps, things you don't willfully place on it. Like your contact info scraped from a friends list. Not a FB user? Who gives a shit, we have your info anyway and what are you going to do about it?

    1. Anonymous Coward
      Anonymous Coward

      How's that again? How can it scrap stuff from someone who doesn't use the service? You make it sound like it's going to build my profile up whether I like it or not. I'm not on there, so none of my "personal info" is going to be directly available. Even indirectly is not achieved because if someone adds me to a list as a entity, there is no way to link to anything. I'm simply not on there.

      You are making a great case for making sure to take your medications before commenting on news on the webnets! Take your meds. Get some clarity, or fog, whatever it is that causes your neurons to actually make some synaptic contact. Get it together, Johnny!

  5. Mark 65 Silver badge

    It's a sad state of affairs when "the tools could be abused to allow attackers to upload malicious images that grant remote code execution from where various further compromise, data exfiltration, and lateral movement may be possible."

    Still, in 2017.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019