The grateful social network's management paid Leonov $40,000 for services rendered, as part of the Facebook bug bounty program.
The exploit in ImageMagick, a package commonly used by web services to process images, was discovered by Leonov in October 2016 while he was working on an unrelated project and decided to investigate Facebook's content sharing mechanism for potential flaws like Server-Side Request Forgery (SSRF).
It should be noted that the vulnerability in question, known to the netizens as ImageTragick, allows an attacker to potentially execute arbitrary code on servers that use the application to edit user-uploaded images. It was originally discovered in April 2016 and disclosed to the public the following month.
However, for some reason Facebook was apparently unable to address the issue until Leonov reported it on October 16; the flaw was patched in about three days after his tip.
