Industry News

Facebook Bug Bounties for Ads Code Just Doubled

Facebook doubled the bounties for security vulnerabilities discovered in the code behind its advertising system, according to PC World. Researchers who find bugs in the ads code will be paid at least $1,000, and not $500 as until now.

Typical vulnerabilities include wrong permission checks, insufficient rate-limiting, edge-case CSRF issues, and Flash problems in the ads code. The social network announced it just finished a “comprehensive” security audit in this area.

“We found and fixed a number of security bugs but would like to encourage additional scrutiny from Whitehats to see what we might have missed,” Facebook security engineer Collin Greene wrote in a blog post.

“Also, since the vast majority of bug reports we work on with the Whitehat community are focused on the more common parts of Facebook code, we hope to encourage researchers to become more familiar with the surface area of ads to better protect the businesses that use them.”

The security engineer also shared several tips for successfully finding bugs in ads code and mentioned some past ad bugs they managed to fix:

  • Redeeming the same ads coupon multiple times without expiry;
  • Retrieving the name of an unpublished Page via the Ads Create Flow by guessing its Page ID;
  • Arbitrary local file read via a .zip symlink;
  • Injecting JavaScript into an ads report email and then leveraging a CSRF (cross-site request forgery) bug to make a victim send a malicious email to a target.

Besides APIs or analytics, Facebook encourages whitehats to discover ad bugs in “everything else.”

“There is a lot of backend code to correctly target, deliver, bill and measure ads,” Greene said. This code isn’t directly reachable via the website, but of the small number of issues that have been found in these areas, they are relatively high impact.”

Since Facebook’s bug bounty program debut in 2011, whitehats have earned over $3 million for discovering new vulnerabilities. A year ago, Yahoo! made headlines after dumping T-shirt bounties for money rewards. The news came after several Swiss security researchers publicly shamed the tech giant for offering branded clothing instead of actual money. Yahoo! announced it will replace T-shirt rewards with bounties up to $15,000 for “new, unique and/or high risk” bugs.

For more information about Facebook’s bug bounty program, “hunters” can also read this recent guide.

About the author


Bianca Stanescu, the fiercest warrior princess in the Bitdefender news palace, is a down-to-earth journalist, who's always on to a cybertrendy story. She's the industry news guru, who'll always keep a close eye on the AV movers and shakers and report their deeds from a fresh new perspective. Proud mother of one, she covers parental control topics, with a view to valiantly cutting a safe path for children through the Internet thicket. She likes to let words and facts speak for themselves.