Facebook Doubles Bug Bounty for Advertising Code Flaws

Facebook has revealed that researchers who uncover problems in its advertising code will receive double bug bounties, at least until the end of the year.

The decision to double the bug bounties for advertising code flaws indicates the importance of advertising to Facebook’s bottom line.

Bug Fixes

The decision was revealed in a blog posting by Collin Greene, a security engineer at Facebook. “Starting today and extending through the end of 2014, all Whitehat bugs in our ads code will receive double bounties,” Greene wrote.

Greene pointed out that Facebook had recently undertaken a comprehensive security audit of this area, and had discovered and fixed a number of security bugs. This included a bug that allowed for the redeeming of the same ads coupon multiple times without expiry. Another bug allowed for the injection of JavaScript into an ads report email and then leveraging a CSRF bug to make a victim send a malicious email to a target on the hackers behalf.

The discovery of those, and other bugs by Facebook staff has prompted its decision to encourage more White Hat researchers to scrutinise Facebook’s advertising code, to see what internal staff may have missed.

Greene also said that the vast majority of bug reports that it receives are focused on the more common parts of Facebook code. Therefore “we hope to encourage researchers to become more familiar with the surface area of ads to better protect the businesses that use them.”

He admitted that the bugs that have had the biggest impact tend to be associated with the user interface and analytics (insights), but he also wants researchers to pay attention to the ads API and back-end code.

“At this stage of our bug bounty program, it’s uncommon for us to see many of the common web security bugs like XSS,” wrote Greene. “What we see more often are things like missing or incorrect permissions checks, insufficient rate-limiting that can lead to scraping, edge-case CSRF issues, and problems with SWFs…Good luck, and keep the submissions coming!”

White hat researchers can sign up here.

Slow Starter

Facebook was late to buy into the bug bounties concept. It first began offering bug bounties back in July 2011 – finally following the lead of Google, HP, Mozilla and others.

It said at that time it would pay a typical bounty of $500 (£300) to the first person to responsibly disclose a flaw that “could compromise the integrity or privacy of Facebook user data”.

But it took just three weeks for Facebook to realise the benefits of its bug bounty program, after it revealed in August 2011 that it had paid out $40,000 (£24,509) to bug hunters.

But some security experts are concerned that despite Facebook’s reward program, it would be more profitable for researchers to sell their findings on the underground market. Indeed, that could the reason why one researcher claimed to have been paid $12,000 (£7,472) for fixing a bug in Facebook that could have let a hacker delete photos of users without having access to their accounts.

Last September Arul Kumar, a 21-year-old researcher from India, said he was able to exploit the mobile version of the Support Dashboard that lets users check on reports they have lodged with the social network.

What do you know about Internet security? Find out with our quiz!