Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Facebook doubles ad-hacking bounty

Small security snafus snuffed, try the tiny and technical

Facebook has doubled the cash it will pay out to folks who report holes in its advertising code.

The bounty will rise in a bid to entice hackers to report bugs found in its ads code following an internal security audit that squashed an undisclosed number of vulnerabilities.

Security engineer Collin Greene said the Zucker-empire will double bug pay-outs until year's end.

"Starting today and extending through the end of 2014, all whitehat bugs in our ads code will receive double bounties," Greene wrote in a post.

"We found and fixed a number of security bugs but would like to encourage additional scrutiny from White hats to see what we might have missed.

"Also, since the vast majority of bug reports we work on with the Whitehat community are focused on the more common parts of Facebook code, we hope to encourage researchers to become more familiar with the surface area of ads to better protect the businesses that use them."

Facebook recently squashed flaws including the ability to repeatedly redeem ad coupons; pull names of unpublished pages; read arbitrary local files, and inject JavaScript into an ads report email and through cross site request forgery (CSRF) force victims to send malicious emails to targets.

The organisation has to date paid out some US$3million in bug bounties including $33,500 award for a remote code execution external entity (XXE) vulnerability.

Greene offered some tips including that common security bugs like cross site scripting would probably not be present in ads code.

Pundits would gain more win by targeting missing or incorrect permissions checks, insufficient rate-limiting leading to scraping, edge-case CSRF issues, and problems with flash files.

Not to be outdone, Yahoo! has touted its recent HackerOne bug bounty that has since paid out $700,000 to 600 security researchers.

Yahoo! security response man Ramses Martinez said the Purple Palace Senior Director of Investigations, Intelligence, and Response said

It also comes as Facebook is reported to be introducing a Safety Check feature that sends push notifications to users travelling in known disaster areas.

Troubled travellers would then need to verify their safety. If they reported themselves as being danger, a notice will be posted to their feed. ®

Similar topics

Similar topics

Similar topics

TIP US OFF

Send us news


Other stories you might like