According to a new report, Facebook images could be used to contain and spread malicious code across the platform.

The security researchers at Check Point, an Israeli security firm, publicized the flaw in Facebook’s defenses this week, noting that so-called “Locky” ransomware could be downloaded and installed by unwitting users via images. The security firm also claimed to have noticed a “massive spread” of this ransomware on Facebook in recent weeks, but Facebook vehemently denied the accusation.

“This analysis is incorrect,” the site said in a statement. “There is no connection to Locky or any other ransomware, and this is not appearing on Messenger or Facebook. We investigated these reports and discovered there were several bad Chrome extensions, which we have been blocking for nearly a week. We also reported the bad browser extensions to the appropriate parties.”

However, despite Facebook’s defense for the security problems that Check Point noticed, the overall vulnerability that the firm called out could still be a problem. Check Point says that it reported the vulnerability to Facebook in September, but the social media giant has not said if there is a fix in place. The site’s statement on the Check Point accusation also dodged this bigger, more serious question.