Facebook is shining a light on flaws within its advertising code—arguably the lifeblood of the company—with a doubling of bug bounties for researchers uncovering flaws.
“We recently completed a comprehensive security audit of this area ourselves,” explained Collin Greene, a security engineer at Facebook, in a post on the social network. “We found and fixed a number of security bugs but would like to encourage additional scrutiny from white-hats to see what we might have missed.”
He went on to say that the vast majority of bug reports that it receives are focused on the more common parts of Facebook code. So the effort is also a way to encourage researchers to become “more familiar with the surface area of ads to better protect the businesses that use them.”
Bugs can be present in a variety of areas within the ads rubric, including the user interface code, the developer API and the analytics that measure the performance of an ad.
“Ads-related code is the main part of Facebook that has and enforces roles, so it's also worthwhile to understand them,” Greene said. “Among these roles, the permissions for reading or writing billing information are the most relevant.”
The bugs it has seen in the analytics and UI areas that have had the largest impact have been missing or incorrect permissions checks, he said. “For example, we had an issue where someone could access insights for any application via a Graph API token with the read_insights permission.”
There is also “a lot of backend code to correctly target, deliver, bill and measure ads,” Greene noted. It’s code that isn't directly reachable via the website, “but of the small number of issues that have been found in these areas, they are relatively high impact,” he said.
Examples of remediated advertising bugs include: redeeming the same ads coupon multiple times without expiry; retrieving the name of an unpublished page via the ‘Ads Create Flow’ function by guessing its page ID; allowing arbitrary local file read via a .zip symlink; and injecting JavaScript into an ads report email and then leveraging a CSRF bug to make a victim send a malicious email to a target.
“At this stage of our bug bounty program, it's uncommon for us to see many of the common web security bugs like XSS,” Greene noted. “What we see more often are things like missing or incorrect permissions checks, insufficient rate-limiting that can lead to scraping, edge-case CSRF issues, and problems with SWFs.”