This article is more than 1 year old

Facebook doubles ad-hacking bounty

Small security snafus snuffed, try the tiny and technical

Facebook has doubled the cash it will pay out to folks who report holes in its advertising code.

The bounty will rise in a bid to entice hackers to report bugs found in its ads code following an internal security audit that squashed an undisclosed number of vulnerabilities.

Security engineer Collin Greene said the Zucker-empire will double bug pay-outs until year's end.

"Starting today and extending through the end of 2014, all whitehat bugs in our ads code will receive double bounties," Greene wrote in a post.

"We found and fixed a number of security bugs but would like to encourage additional scrutiny from White hats to see what we might have missed.

"Also, since the vast majority of bug reports we work on with the Whitehat community are focused on the more common parts of Facebook code, we hope to encourage researchers to become more familiar with the surface area of ads to better protect the businesses that use them."

Facebook recently squashed flaws including the ability to repeatedly redeem ad coupons; pull names of unpublished pages; read arbitrary local files, and inject JavaScript into an ads report email and through cross site request forgery (CSRF) force victims to send malicious emails to targets.

The organisation has to date paid out some US$3million in bug bounties including $33,500 award for a remote code execution external entity (XXE) vulnerability.

Greene offered some tips including that common security bugs like cross site scripting would probably not be present in ads code.

Pundits would gain more win by targeting missing or incorrect permissions checks, insufficient rate-limiting leading to scraping, edge-case CSRF issues, and problems with flash files.

Not to be outdone, Yahoo! has touted its recent HackerOne bug bounty that has since paid out $700,000 to 600 security researchers.

Yahoo! security response man Ramses Martinez said the Purple Palace Senior Director of Investigations, Intelligence, and Response said

It also comes as Facebook is reported to be introducing a Safety Check feature that sends push notifications to users travelling in known disaster areas.

Troubled travellers would then need to verify their safety. If they reported themselves as being danger, a notice will be posted to their feed. ®

More about

TIP US OFF

Send us news


Other stories you might like