Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Facebook Doubles Rewards For Vulnerabilities in Ads Code

In an effort to ensure that its advertising system is not plagued by any security bugs, Facebook has decided to double the amount of money it awards to researchers who identify vulnerabilities in the social media network’s ads code.

In an effort to ensure that its advertising system is not plagued by any security bugs, Facebook has decided to double the amount of money it awards to researchers who identify vulnerabilities in the social media network’s ads code.

Facebook has conducted a comprehensive audit of the ads system and has fixed several issues. However, the company hopes independent security experts will identify the flaws its own team might have missed.

“Since the vast majority of bug reports we work on with the Whitehat community are focused on the more common parts of Facebook code, we hope to encourage researchers to become more familiar with the surface area of ads to better protect the businesses that use them,” Facebook Security Engineer Collin Greene wrote in a blog post last week.

Security researchers have reported ads-related issues to Facebook in the past, including an arbitrary local file read via a .zip symlink, a flaw that could have been leveraged to redeem the same ads coupon multiple times without expiry, and a bug that allowed for the name of an unpublished page to be retrieved via the Ads Create Flow by guessing its Page ID.

Another issue fixed by Facebook could have been exploited to inject JavaScript code into ads report emails and then get a victim to send a malicious email to a targeted user by leveraging a cross-site reference forgery (CSRF) bug. The arbitrary local file read vulnerability in the ads system has been described by Greene in the Facebook bug bounty hunter’s guide.

Researchers interested in analyzing Facebook’s ads code can focus on the user interface, which is comprised of ads manager tools and a JavaScript tool that supports bulk editing and uploading, the ads API, and the analytics/insights section. According to Facebook, many of the high-impact vulnerabilities found in the user interface and analytics sections were related to missing or incorrect permission checks.

“At this stage of our bug bounty program, it’s uncommon for us to see many of the common web security bugs like XSS. What we see more often are things like missing or incorrect permissions checks, insufficient rate-limiting that can lead to scraping, edge-case CSRF issues, and problems with SWFs,” Greene said.

Up until now, Facebook has paid out over $3 million to researchers who have contributed to making the social networking website more secure.

Advertisement. Scroll to continue reading.

Facebook is not the only company to increase bug bounties. In late September, Google announced rewards of up to $15,000 for serious vulnerabilities in the Chrome Web browser.

 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.