Double Rewards For Finding Bugs In Facebook Ads Code
Written by Andrew Johnson   
Friday, 17 October 2014

Having fixed several bugs in its ads code internally, Facebook is hoping to get whitehat hackers to uncover any more that are lurking. From now until the end of the year it will pay out double for bugs in ads.

 

Announcing the incentive for concentrating on ads code rather than the more common parts of Facebook code, Colin Greene notes:

At this stage of our bug bounty program, it's uncommon for us to see many of the common web security bugs like XSS. What we see more often are things like missing or incorrect permissions checks, insufficient rate-limiting that can lead to scraping, edge-case CSRF issues, and problems with SWFs. 

He also provides some examples of bugs that have already been fixed in ads:

  1. Redeeming the same ads coupon multiple times without expiry.
  2. Retrieving the name of an unpublished Page via the Ads Create Flow by guessing its Page ID.
  3. Arbitrary local file read via a .zip symlink.
  4. Injecting JavaScript into an ads report email and then leveraging a CSRF bug to make a victim send a malicious email to a target on your behalf. 

In another post A Bounty Hunter's Guide to Facebook, Colin Greene provides updated guidelines on how to submit bugs so as to qualify for a reward. It is worth a careful read if you are new to the Facebook Bug Bounty program. The encouraging bit comes at the top:

Since starting our bug bounty program in 2011, researchers have earned over $3 million for helping us make Facebook more secure. 

So given double rewards are currently on offer, it worth scrutinizing ads more closely than usual. 

 

Banner


nginx Core Developer Announces New Fork
23/02/2024

One of the core developers of nginx has said he is no longer working on the development of the popular and widely used nginx web server, and is instead working on a new fork. Maxim Dounin release [ ... ]



Generative AI Training For All On Coursera
04/03/2024

Generative AI is on the loose, getting into business and commerce as well as into art, poetry and coding. Already useful, it  will become ever more useful as long as we use it properly. Coursera  [ ... ]


More News

 

raspberry pi books

 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Friday, 17 October 2014 )