Connect with us

Hi, what are you looking for?


Management & Strategy

Meta Offers Rewards for Flaws Allowing Attackers to Bypass Integrity Checks

Facebook parent company Meta today announced that its bug bounty program will cover vulnerabilities that can be exploited to bypass integrity safeguards.

Facebook parent company Meta today announced that its bug bounty program will cover vulnerabilities that can be exploited to bypass integrity safeguards.

The program expansion, the company says, is meant to steer researchers’ attention to security issues that attackers may exploit to bypass specific integrity checks meant to limit abuse behaviors.

Such checks include mandatory two-factor authentication for specific business manager accounts, Facebook’s own application verification process, or feature restriction enforcements.

For example, Meta is willing to pay researchers for reports regarding issues that may allow the bypass of the quarantine state a business is automatically placed in when they violate Facebook policies; or bugs leading to tampering with restrictions enforced on other businesses or with their appeals to restrictions.

Researchers who identify endpoints that may perform sensitive actions without triggering a Business Manager two-factor authentication (2FA) prompt may receive up to $2,000 for their reports.

Meta also says it is willing to pay good money for vulnerabilities identified in its ads payment infrastructure.

Thus, researchers may be handed out rewards of up to $20,000 for issues allowing them to “create an arbitrary amount of prepaid balance without using a valid payment method,” or up to $15,000 for bugs that allow them to “remove an arbitrary outstanding balance without a valid payment,” the company says.

Advertisement. Scroll to continue reading.

[ READ: Facebook Will Reward Researchers for Reporting Scraping Bugs ]

Flaws that allow researchers to tamper with metrics in Facebook Audience Network will also be rewarded. The highest bounty payout – of $10,000 – will go to reports demonstrating the “ability to take credit for the attribution of an install through an advertisement” without user interaction.

Meta will pay up to $20,000 to researchers demonstrating a method of generating ad revenue via fake impressions (without use of external botnets, scripts, social engineering, or fake accounts).

Scenarios that impact the integrity of ads displayed within the Facebook audience network are also within scope of the bug bounty program. New attack vectors that are also highly scalable and exploitable may be awarded bug bounty rewards of up to $10,000.

Meta also expanded the bug bounty program to include vulnerabilities in its application review process and issues that allow tampering with an app’s identity after the review process has been completed.

Furthermore, the social media platform will reward issues that allow applications to continue accessing user information after a grace period of 90 days has passed since the individual last used the application, as well as bugs that allow applications to bypass rate limits Facebook has imposed on API calls.

Meta also announced bug bounty rewards for vulnerabilities that bypass penalties – such as user account suspensions or disables – that have been enforced for policy violations. Issues allowing for the bypass or modification of a user’s appeals to these enforcements are also within the scope of the bug bounty program.

Related: Facebook Battles Cyber Campaigns Targeting Ukraine

Related: Hackers Got User Data From Meta With Forged Request

Related: Meta Sues Two Nigerians Who Lured Facebook Users to Phishing Sites

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.