Russian hacker, Andrew Leonov, was awarded by $40,000, the biggest payout in Facebook history.
Andrew Leonov discovered a bug that was making it possible to hide malicious code in image files uploaded to Facebook. More specifically, the vulnerability known as ImageTragick allowed attackers to execute arbitrary code on servers that used the application to edit user-uploaded images.
This problem was first reported in April of 2016. Facebook techs took measurements to fix it, but as Leonov figured out months later, this was not enough. Leonovs’ investigations finally helped Facebook expose and resolve a harmful vulnerability.
“Great bug from a responsible reporter,” Facebook’s information security chief, Alex Stamos wrote in a Twitter post.
As part of Facebook bug bounty program, grateful techs paid the Russian hacker a record fee for his service. Six years ago Facebook started the bug bounty program, since then the company paid more than $5 millions to the hackers that helped discover vulnerabilities of the largest social network.