Facebook users concerned that their private phone numbers could be confirmed via their social media accounts can change their privacy settings so non-friends cannot perform this action.
Facebook users concerned that their private phone numbers could be confirmed via their social media accounts can change their privacy settings so non-friends cannot perform this action.

An independent security researcher discovered a severe remote code execution vulnerability on Facebook's website that earned him a record $40,000 bug bounty, while another uncovered a privacy issue that reveals private phone numbers linked to Facebook users' accounts.

According a blog post by Russia-based web application security researcher Andrey Leonov, the remote code execution flaw can be exploited using a bug in the image-processing software ImageMagick that was originally discovered in April 2016.

Although this vulnerability, dubbed ImageTragick, was patched shortly after its discovery, it was still impacting Facebook when Leonov reported the issue last Oct. 16. Facebook promptly patched the issue and rewarded Leonov with the substantial bounty – the largest the social media giant has ever bestowed.

The ImageTragick vulnerability, officially designated as CVE-2016-3714, stems from the insufficient parameter filtering of user-added files that contain external libraries. This flaw makes it possible for bad actors to execute a shell command injection, resulting in remote code execution during the conversion of certain file formats. In other words, hackers can embed malicious code into seemingly benign image files in order to gain control of a machine. 

“I am glad to be the one of those who broke the Facebook,” wrote Leonov in his blog post. Facebook confirmed that the researcher's account of his findings is accurate.

Meanwhile, news outlets are also reporting that Belgian security researcher Inti De Ceukelaire has found a privacy flaw in a Facebook search application, which adversaries could use to reveal the private numbers that users enter when registering with the social media platform.

According to an International Business Times report citing the Belgian media, De Ceukelaire claims his technique makes it possible within 30 to 45 minutes to determine the phone number linked to an individual Facebook account. However, the trick is only effective if the person comes from a country with a small population that employs telephone numbers of 12 digits or fewer.

De Ceukelaire told SC Media that the issue specifically resides in Facebook's Graph Search, a semantic search engine that responds to queries with written answers instead of links. Entering an arbitrary phone number into this engine reveals whose account that number belongs to, unless the account holder adjusts his privacy settings to forbid this action by non-friends. 

Under normal circumstances, such a query would be relatively harmless because the search is random. However, De Ceukelaire said that he can turn these queries into highly targeted searches against specific individuals by using the flaw he discovered to narrow down the list of possible phone numbers that are associated with any given Facebook user.

“It's actually three tricks combined,” De Ceukelaire said in an interview via Twitter. “First, I eliminate numbers to reduce the amount of possible numbers. Then I use a flaw to reduce the amount of numbers another time. And then I end up with a couple of possible numbers – let's say 10 numbers. Then I check them using the graph search.”

De Ceukelaire said that the technique allowed him to successfully look up the specific politicians' and celebrities' phone numbers that were not displayed on their public Facebook pages.

Facebook has acknowledged the issue, but believes this is not a true vulnerability because users can choose to protect their information further by changing their privacy settings.

“Anyone can control who can look up their profile by phone number using our ‘Who can look me up' setting,” a Facebook spokesperson said in an emailed comment. “We appreciate this report, but the ability to associate a phone number with an account is expected if the account is set up to allow that function.”

Facebook users can change their settings for “Who can look you up using the phone number you provided?” from “Everyone” to “Friends” only or “Friends of friends.” But there is no option to prevent all users from performing a phone number-based look-up.

De Ceukelaire said that trying to perform a phone number-based account search without first using his new technique to narrow down the possible numbers would take way too long, and Facebook's security mechanisms would prevent such an attempt.

He also said that users attempting his technique could be hindered if Facebook employed even more effective rate limiting than they currently have, although he did not specify precisely how this would help. Facebook is considering adjusting its rate limits in the future to deter abuse; however, De Ceukelaire is displeased that Facebook has not definitively fixed the issue, and plans to release the details of his privacy exploit in February, regardless of whether Facebook takes action or not.