Andrei Leonov took home a record payment from Facebook for breaking into its system. The $40,000 is his reward for having found a vulnerability in the American company’s system.
The news that the Russian expert hacked into the largest social network in the world, and was paid for it, made international headlines. But Leonov insists he is not a hacker – “I am a cyber security specialist.”
The difference is that he works on the “white” side, that is, he finds vulnerabilities in programs and tells developers about it.
“The main rule for researchers is not to go too deep, while hackers will go further,” said Leonov. “When a researcher finds a point of entry he says, ‘That’s enough, you take it from here.”
Leonov grew up in St. Petersburg, studied at a technical school and is now “thirty something.” He does not want to dwell on his age, just like he does not want to speak about politics, nor the scandals surrounding the U.S. Democratic Party hack and the alleged Russian groups behind it.
“Russian hackers are now exploited to frighten people like vodka and bears,” said Leonov. “Some people need an enemy in order to justify certain actions, and an invisible enemy is very convenient.”
What he did for Facebook is just a hobby. “I work independently,” said Leonov. “Some play poker, and others go fishing. Well, I look for vulnerabilities.”
Inserting the code
“Great bug from a responsible reporter who got $40K.” This was the tweet that Alex Stamos, director of Facebook’s information security department, posted on Jan. 17.
“I am glad to be one of those who broke Facebook,” Leonov wrote in his blog after he was told of his reward. Previously, Facebook’s largest payment was $33,500, given to Brazilian security researcher, Reginaldo Silva, in 2014.
In April last year other researchers discovered a vulnerability in one of the most common image processing modules, ImageMagic. It’s used to scale and convert images in Facebook’s news feed.
Leonov noticed that the function, “share news on Facebook” takes the news’ title image from other servers. It also turned out that neither Facebook nor ImageMagic checked whether the downloaded file is indeed a JPEG format image or something else.
“Having noticed this, I checked how a service, in this case Facebook, processes an image that I can manage and whose content I can change,” said Leonov.
According to the international Open Web Application Security Project (OWASP), such a vulnerability has the highest ranking. But its weakness largely depends on where the code is inserted.
“Let’s imagine that the computer is isolated from the Internet and the company’s entire infrastructure,” said Leonov. “Inserting the code in that computer is not very good, but not fatal. If the computer, however, has access to the user database, this is very bad.”
He contacted Facebook’s technical support in November and corrected the error.
No Russian school of hacking
Leonov works in the security department at SEMrush, an international IT company that develops instruments for online marketing. He spends his free time on crowdsourcing platforms where companies post announcements for testing products.
Leonov is one of the top 100 researchers on the Bugcrowd platform. Among Bugcrowd and other platform clients are companies such as General Motors, Uber, Pinterest and Mail.ru.
https://www.facebook.com/plugins/post.php?href=https%3A%2F%2Fwww.facebook.com%2Fphoto.php%3Ffbid%3D128911184242624%26set%3Da.128911220909287.1073741826.100013712299273%26type%3D3&width=500Leonov does not believe in a particular Russian school of hacking, or a Russian signature. Photo: Andrei Leonov. Source: Facebook
Leonov said that after he found the vulnerability in Facebook he was not flooded with job offers, and he “remains the person he always was.”
He does not believe in a particular Russian school of hacking, or a Russian signature. There are just intelligent people all over the world. He also believes that vulnerabilities are found everywhere.
“I use the same Internet service set that every person uses,” said Leonov. “I don’t have Instagram, for example, but not because it’s bad – I just don’t photograph myself eating or in an elevator.”
“I am disturbed by the fact that the average user has a maximum of three passwords: one for all types of junk, one for important sites and one for the most important mail, which is used for registering all the other accounts,” said Leonov.
However, speaking about his hobby – finding vulnerabilities – Leonov says that is a very boring and an unremarkable process.
“There are no 3D visualizations that we see in films about hackers,” Leonov chuckled.