Yahoo's engineering staff have retired the ImageMagick library from active duty after a security researcher found a bug that would have allowed an attacker to expose server memory, which, due to the library's nature, leaked image data from users' inboxes.
The ImageMagick library is a long-standing toolkit used by many developers around the world to handle image processing operations on web servers.
While, at one point, it was a beloved tool, the library didn't age well, and across time, it was affected by various vulnerabilities, among the biggest being a flaw called ImageTragick.
As time went by, and especially after the ImageTragick flaw, most web developers started switching to newer image processing libraries. One the companies that continued to use ImageMagick was Yahoo.
During this past winter, security researcher Chris Evans discovered a new vulnerability in the ImageMagick library. The security expert details the technical intricacies of this flaw on his blog.
According to an over-simplified account of his write-up, Evans created a malformed image containing exploit code, which he sent as an email attachment, to himself.
Once the email and the attachment arrived on Yahoo's email servers, the ImageMagick library processed the image in order to generate thumbnails and previews. The side effect of this operation was that Yahoo's ImageMagick library executed Evans' exploit code.
The result of this exploit code was that the ImageMagick library generated a corrupt image preview for the email's original image attachment.
Instead of the original image, the image preview included portions of images that were still present in the server's memory. Fortunately, the images Evans obtained were mangled and didn't contain any usable information.
Nonetheless, the researcher didn't try to modify his code to refine the output and obtain clearer images, as this would have intruded on users' privacy, and also broken the rules of Yahoo's bug bounty program.
In the end, Yahoo engineers decided it would be best if they would retire the ImageMagick library altogether. Yahoo also awarded Evans $14,000 for his bug report. As per Yahoo bug bounty rules, the company doubled the reward after Evans decided to donate it to charity.
After disclosing the issue to Yahoo, Evans also reported the bug to the ImageMagick team, who patched it in version 7.0.5-1, released two months ago.