The saying one man’s trash is another man’s treasure applies to IT security as well. There are several types of attacks, such as buffer overflow, that rely on accessing leftover memory content. For example, this is exactly what the infamous Heartbleed bug in OpenSSL was all about.
A Belarussian bug hunter Dzmitry Lukyanenka recently published a very interesting story of how he earned a $10,000 bounty from Facebook in 2018. At that time, he discovered that Facebook Messenger was serving him someone else’s trash. It all began, when Dzmitry wanted to test how the Facebook Messenger Android app reacts to atypical GIF files.
The GIF file is composed of a header and body. Dzmitry decided to create a minimal file that would have required header information but no body at all. He then included such files in a Messenger chat to see how they are processed. The Android app behaved normally serving back an empty image, but the web application was showing unexpected results!
It took Dzmitry only a moment to realize that the images that Messenger served him were not random. It was the content of the global GIF buffer. It seems that the Messenger web app was pulling a number of bytes from the buffer as specified by the image size in the GIF header.
Facebook reacted very quickly and patched the vulnerability within less than two weeks. Dzmitry received his bounty less than a month after the report was sent.
Get the latest content on web security
in your inbox each week.