In an effort to ensure that its advertising system is not plagued by any security bugs, Facebook has decided to double the amount of money it awards to researchers who identify vulnerabilities in the social media network’s ads code.
Facebook has conducted a comprehensive audit of the ads system and has fixed several issues. However, the company hopes independent security experts will identify the flaws its own team might have missed.
“Since the vast majority of bug reports we work on with the Whitehat community are focused on the more common parts of Facebook code, we hope to encourage researchers to become more familiar with the surface area of ads to better protect the businesses that use them,” Facebook Security Engineer Collin Greene wrote in a blog post last week.
Security researchers have reported ads-related issues to Facebook in the past, including an arbitrary local file read via a .zip symlink, a flaw that could have been leveraged to redeem the same ads coupon multiple times without expiry, and a bug that allowed for the name of an unpublished page to be retrieved via the Ads Create Flow by guessing its Page ID.
Another issue fixed by Facebook could have been exploited to inject JavaScript code into ads report emails and then get a victim to send a malicious email to a targeted user by leveraging a cross-site reference forgery (CSRF) bug. The arbitrary local file read vulnerability in the ads system has been described by Greene in the Facebook bug bounty hunter’s guide.
Researchers interested in analyzing Facebook’s ads code can focus on the user interface, which is comprised of ads manager tools and a JavaScript tool that supports bulk editing and uploading, the ads API, and the analytics/insights section. According to Facebook, many of the high-impact vulnerabilities found in the user interface and analytics sections were related to missing or incorrect permission checks.
“At this stage of our bug bounty program, it’s uncommon for us to see many of the common web security bugs like XSS. What we see more often are things like missing or incorrect permissions checks, insufficient rate-limiting that can lead to scraping, edge-case CSRF issues, and problems with SWFs,” Greene said.
Up until now, Facebook has paid out over $3 million to researchers who have contributed to making the social networking website more secure.
Facebook is not the only company to increase bug bounties. In late September, Google announced rewards of up to $15,000 for serious vulnerabilities in the Chrome Web browser.