Social network Facebook has awarded Russian Andrey Leonov for the vulnerabilities found in the site's security. "Flaw" in the Security granted the status of critical.

Andrew found out that Facebook is using a vulnerable version of ImageMagick service. This software package for image pre-processing prior to publication, which is used in many popular sites. Using a security breach, the attackers were on a remote server to perform any commands, "hidden" code in the image file.
Vulnerability discovered and eliminated in May 2016. However, in November, Andrew managed to bypass the security of Facebook. He immediately informed about the dangers of social networks administration, the problem persists after two days.

Andrej told about his discovery:

Found vulnerability allows to execute arbitrary code on the server (s) owned by Facebook. But we must understand that, in spite of the fact that in itself is the code execution is not good, it is very important where it can be executed. What kind of server to which it was possible to gain access to the servers themselves, in the neighboring.

Reward

Error gained the status of critical. Andrew received the biggest reward from Facebook - 40 thousand dollars, or 2.4 million rubles. About his discovery Andrew said in his personal blog.

Andrey Leonov also answered a few questions:

- How much time was spent on the search for vulnerabilities?
- Frankly, a complicated question. Once I got to the page where he was vulnerable script - well, maybe twenty or thirty minutes on all checks. But the fact that I even got there - it was an accident. Prior to that, somewhere in a couple of hours checking other service and since it was on facebook.

- What are the tools used to search for?
- Standart - browser, burp suite (approx edition -. Software for testing the security of web applications), arms, head and knowledge :)