Facebook to Double Bounty Payouts For Ad Code Bugs

Facebook Transparency Report

Facebook said it will double bug bounty payouts for the remainder of the year for serious vulnerabilities in its ad code.

Popular segments of Facebook code have plenty of white—and black hats—poking around for bugs. The same probably cannot be said for the social network’s ads code, so Facebook has decided to add an incentive to its bug bounty program.

Through the end of the year, payments will be doubled for bugs reported to and verified by the bounty program, Facebook said.

“We recently completed a comprehensive security audit of this area ourselves. We found and fixed a number of security bugs but would like to encourage additional scrutiny from Whitehats to see what we might have missed,” said Facebook security engineer Collin Greene. “We hope to encourage researchers to become more familiar with the surface area of ads to better protect the businesses that use them.”

Ad code largely handles roles and enforces permissions, and also permission for reading or writing billing information, Facebook said. Greene said that a number of ad code vulnerabilities have passed through the bounty program, but not enough to think that commodity vulnerabilities have been conquered as they have in other regions of Facebook code.

“At this stage of our bug bounty program, it’s uncommon for us to see many of the common web security bugs like XSS [cross-site scripting],” Greene said. “What we see more often are things like missing or incorrect permissions checks, insufficient rate-limiting that can lead to scraping, edge-case CSRF issues , and problems with SWFs.”

Facebook identified a number of areas that are in scope for an ads bounty. The user interface, which includes the Ads Manager and Power Editor tools that enable users to edit and upload bulk ads, has been a place where a number of permissions-based security issues have been discovered and reported. Also, the Ads API is an area Facebook hopes for some white hat scrutiny. In July, a serious privacy bug in the API was reported that allowed legacy REST API calls to be made on behalf of any user. Exploiting this bug could expose private messages, notes, drafts, contact information and provided access to post an updated status, comments, create photo albums and upload photos and more, according to researcher Stephen Sclafani.

Facebook’s ads Analytics feature, used to measure ad performance, is another spot where permissions-based vulnerabilities have been discovered. Exploits there have made analytics available for an application by using a Graph API token.

Facebook’s bug bounty is three years old and has paid out more than $3 million. Earlier this year, Facebook paid out $33,500 for a remote code execution XXE vulnerability. The vulnerability could allow an attacker to read files from a Facebook server to another internal service and execute code. The bug caused Facebook to disable external entities across and audit the code for similar endpoints.

Today’s announcement around ads code was hinted at in April when Facebook announced that it might increase rewards for critical bugs after studying 2013 submissions. Facebook paid out more than a million dollars in bounties in 2013 to 330 white hats; overall submissions, however, including those ineligible for a bounty jumped 246 percent.

“The volume of high-severity issues is down, and we’re hearing from researchers that it’s tougher to find good bugs,” Greene said at the time. “To encourage the best research in the most valuable areas, we’re going to continue increasing our reward amounts for high priority issues.”

Suggested articles