Connect with us

Hi, what are you looking for?



Facebook Doubles Rewards For Vulnerabilities in Ads Code

In an effort to ensure that its advertising system is not plagued by any security bugs, Facebook has decided to double the amount of money it awards to researchers who identify vulnerabilities in the social media network’s ads code.

In an effort to ensure that its advertising system is not plagued by any security bugs, Facebook has decided to double the amount of money it awards to researchers who identify vulnerabilities in the social media network’s ads code.

Facebook has conducted a comprehensive audit of the ads system and has fixed several issues. However, the company hopes independent security experts will identify the flaws its own team might have missed.

“Since the vast majority of bug reports we work on with the Whitehat community are focused on the more common parts of Facebook code, we hope to encourage researchers to become more familiar with the surface area of ads to better protect the businesses that use them,” Facebook Security Engineer Collin Greene wrote in a blog post last week.

Security researchers have reported ads-related issues to Facebook in the past, including an arbitrary local file read via a .zip symlink, a flaw that could have been leveraged to redeem the same ads coupon multiple times without expiry, and a bug that allowed for the name of an unpublished page to be retrieved via the Ads Create Flow by guessing its Page ID.

Another issue fixed by Facebook could have been exploited to inject JavaScript code into ads report emails and then get a victim to send a malicious email to a targeted user by leveraging a cross-site reference forgery (CSRF) bug. The arbitrary local file read vulnerability in the ads system has been described by Greene in the Facebook bug bounty hunter’s guide.

Researchers interested in analyzing Facebook’s ads code can focus on the user interface, which is comprised of ads manager tools and a JavaScript tool that supports bulk editing and uploading, the ads API, and the analytics/insights section. According to Facebook, many of the high-impact vulnerabilities found in the user interface and analytics sections were related to missing or incorrect permission checks.

“At this stage of our bug bounty program, it’s uncommon for us to see many of the common web security bugs like XSS. What we see more often are things like missing or incorrect permissions checks, insufficient rate-limiting that can lead to scraping, edge-case CSRF issues, and problems with SWFs,” Greene said.

Advertisement. Scroll to continue reading.

Up until now, Facebook has paid out over $3 million to researchers who have contributed to making the social networking website more secure.

Facebook is not the only company to increase bug bounties. In late September, Google announced rewards of up to $15,000 for serious vulnerabilities in the Chrome Web browser.


Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.