Hi Everyone, As promised this is the write-up for the Spark AR RCE I discovered a while ago. It started when I stumbled upon an article from the Facebook bug bounty program where they mentioned increased payout for binary reports.
This seemed interesting, back then I thought that the increased payout (the $40 K) was for client-side vulnerabilities as well, I was wrong because Facebook said that this payout was for issues that execute directly on their infrastructure but that’s okay because it was fun exploiting this issue.
Enough with the stories, let’s dive into the vulnerability itself, the main issue was a path traversal when parsing arprojpkg files that affected SparkAR Studio.
This post was created with our nice and easy submission form. Create your post!
GIPHY App Key not set. Please check settings