The saying one man’s trash is another man’s treasure applies to IT security as well. There are several types of attacks, such as buffer overflow, that rely on accessing leftover memory content. For example, this is exactly what the infamous Heartbleed bug in OpenSSL was all about.

A Belarussian bug hunter Dzmitry Lukyanenka recently published a very interesting story of how he earned a $10,000 bounty from Facebook in 2018. At that time, he discovered that Facebook Messenger was serving him someone else’s trash. It all began, when Dzmitry wanted to test how the Facebook Messenger Android app reacts to atypical GIF files.

The GIF file is composed of a header and body. Dzmitry decided to create a minimal file that would have required header information but no body at all. He then included such files in a Messenger chat to see how they are processed. The Android app behaved normally serving back an empty image, but the web application was showing unexpected results!

It took Dzmitry only a moment to realize that the images that Messenger served him were not random. It was the content of the global GIF buffer. It seems that the Messenger web app was pulling a number of bytes from the buffer as specified by the image size in the GIF header.

Facebook reacted very quickly and patched the vulnerability within less than two weeks. Dzmitry received his bounty less than a month after the report was sent.

Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.