Get a virtual facebook registration number and create accounts without linking your personal phone number.
In February 2018, Dmitry Lukyanenko, a researcher specializing in Android application security, decided to test how Facebook Messenger for Android handles corrupted GIFs.
Inspired by one of the vulnerabilities discovered back in 2016 in the popular ImageMagick image processing package, Lukyanenko generated several GIFs to see how they were processed.
He found a way to make the application crash, but Facebook did not pay a reward for this DoS flaw. However, the researcher noticed that the test GIF file that he uploaded to Messenger, which was not supposed to contain the actual image, displayed as what he called a “strange image” when the application opened in a web browser on a laptop. ,
He played around with GIF size, and the image looked like the screen of old TVs when there was no signal. After several tests, his GIF displayed a distorted version of the real image.
It was then that he realized that he was actually receiving data from an image previously uploaded by another user, which he called the problem of “accidental exposure to memory”.
Although Lukyanenko did not prove that the vulnerability could be reliably used to obtain confidential data, Facebook seems to have determined that this is a serious security hole, and decided to award him a reward of $ 10,000. The social media giant released the fix less than two weeks after receiving information about the error at the end of February 2018.
Users suggested that Reddit was the cause of the vulnerability, and some admitted that this could have serious security implications.
“He restored most of the imagination of others. Imagine that it was a photograph of your children that you privately sent to your family or something like that. This is a rather serious vulnerability, even if it can only be used to extract recently uploaded images, ”said one of the Reddit users.
Lukyanenko posted on his blog a post detailing his findings, as well as a video showing the exploit in action.
In 2017, Facebook awarded the researcher $ 40,000 for the remote code execution vulnerability introduced by ImageMagick.