On the blog post Andrey says that he was testing another service (not Facebook) but some of the redirect drag him to Facebook i.e. 'Share on Facebook' dialog box.
When user post a link on facebook it fetch the url for image and shows the image contains on the page of the link. On checking deeper, he fount that a `picture` parameter is a url, but there isn’t image url on page content. [See image below]
On this he came to know how application was working and he wrote -
- Gets `picture` parameter and requests it - this request is correct and not vulnerable
- Received picture passes on converter's instance which used vulnerable ImageMagick library
Later on he successfully exploited the bug leveraging a Code Execution on Facebook server. For this finding Facebook awarded him $40,000 under company's Bug Bounty Program.