Facebook Forgets To Fix ImageTragick And Pays For It!

Staying up-to-date on vulnerabilities is a critical part of an information security program and many organizations, fortunately, realize this for the most part. However, a problem, which we have been working hard to educate both software / device vendors and organizations on, is that an often overlooked area is libraries and other 3rd party components developers are using in their code.

This week had a great case underlying this exact issue. A bug bounty researcher published an excellent write-up of how he back in October 2016 discovered that Facebook had overlooked one of their systems being affected by the widely known ImageTragick vulnerability. This vulnerability allows for code execution and was initially reported in May 2016. Facebook was apparently using the ImageMagick software suite for some image processing, but had failed to update it.

This mistake ended up costing Facebook USD $40,000 in a bug bounty. While a lot of money, Facebook still got off cheap. This oversight could have ended up costing them so much more!

A reliable vulnerability intelligence solution would have warned them about this vulnerability five months prior to it being discovered in their systems. Coupled with a solid asset tracking solution, they would have immediately known that this system was at risk and could have secured it, saving USD $40,000 in the process and ensuring their systems as well their users were secure.

There are many other vulnerabilities in ImageMagick and similar components, and it is important to continuously stay updated on the latest vulnerabilities and address these in a timely manner.

We are in favor of bug bounty programs and have given numerous talks about the advantages of these. However, they should never replace a vulnerability intelligence solution and mature patch management process that includes coverage of 3rd party libraries used in development.