Facebook Doubles Bug Bounty for Advertising Code Flaws

Facebook has revealed that researchers who uncover problems in its advertising code will receive double bug bounties, at least until the end of the year.

The decision to double the bug bounties for advertising code flaws indicates the importance of advertising to Facebook’s bottom line.

Bug Fixes

The decision was revealed in a blog posting by Collin Greene, a security engineer at Facebook. “Starting today and extending through the end of 2014, all Whitehat bugs in our ads code will receive double bounties,” Greene wrote.

Greene pointed out that Facebook had recently undertaken a comprehensive security audit of this area, and had discovered and fixed a number of security bugs. This included a bug that allowed for the redeeming of the same ads coupon multiple times without expiry. Another bug allowed for the injection of JavaScript into an ads report email and then leveraging a CSRF bug to make a victim send a malicious email to a target on the hackers behalf.

The discovery of those, and other bugs by Facebook staff has prompted its decision to encourage more White Hat researchers to scrutinise Facebook’s advertising code, to see what internal staff may have missed.

Greene also said that the vast majority of bug reports that it receives are focused on the more common parts of Facebook code. Therefore “we hope to encourage researchers to become more familiar with the surface area of ads to better protect the businesses that use them.”

He admitted that the bugs that have had the biggest impact tend to be associated with the user interface and analytics (insights), but he also wants researchers to pay attention to the ads API and back-end code.

“At this stage of our bug bounty program, it’s uncommon for us to see many of the common web security bugs like XSS,” wrote Greene. “What we see more often are things like missing or incorrect permissions checks, insufficient rate-limiting that can lead to scraping, edge-case CSRF issues, and problems with SWFs…Good luck, and keep the submissions coming!”

White hat researchers can sign up here.

Slow Starter

Facebook was late to buy into the bug bounties concept. It first began offering bug bounties back in July 2011 – finally following the lead of Google, HP, Mozilla and others.

It said at that time it would pay a typical bounty of $500 (£300) to the first person to responsibly disclose a flaw that “could compromise the integrity or privacy of Facebook user data”.

But it took just three weeks for Facebook to realise the benefits of its bug bounty program, after it revealed in August 2011 that it had paid out $40,000 (£24,509) to bug hunters.

But some security experts are concerned that despite Facebook’s reward program, it would be more profitable for researchers to sell their findings on the underground market. Indeed, that could the reason why one researcher claimed to have been paid $12,000 (£7,472) for fixing a bug in Facebook that could have let a hacker delete photos of users without having access to their accounts.

Last September Arul Kumar, a 21-year-old researcher from India, said he was able to exploit the mobile version of the Support Dashboard that lets users check on reports they have lodged with the social network.

What do you know about Internet security? Find out with our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Northvolt Mulls US Bankruptcy Protection – Report

Troubled battery maker Northvolt reportedly considers Chapter 11 bankruptcy protection in the United States as…

1 hour ago

FTC Plans Investigation Into Microsoft Cloud Business – Report

Microsoft's cloud business practices are reportedly facing a potential anti-competitive investigation by the FTC

3 hours ago

Programmer Sentenced To Five Years In Prison For Bitcoin Laundering

Ilya Lichtenstein sentenced to five years in prison for hacking into a virtual currency exchange…

5 hours ago

Hate Speech Watchdog CCDH To Quit Musk’s X

Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…

21 hours ago

Meta Fined €798m Over Alleged Facebook Marketplace Violations

Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…

23 hours ago

Elon Musk Rebuked By Italian President Over Migration Tweets

Elon Musk continues to provoke the ire of various leaders around the world with his…

24 hours ago