Advertising code needs scrutiny of fresh eyes

Oct 17, 2014 15:29 GMT  ·  By

Developers that discover security flaws in Facebook’s advertising system are to receive larger rewards starting this week and all through the end of the year.

Facebook finished a security audit of its advertising platform, which revealed a number of problems that have received a fix. However, more bugs could lurk and the company wants fresh eyes to take a look and report glitches.

The announcement comes less than a month since Google increased the rewards in its Bug Bounty program because the number of glitches decreased considerably and any of them left are severe enough to account for extensive effort from the researchers.

Facebook security engineer Collin Greene said in a post that the incentive thrown was to “encourage additional scrutiny from Whitehats to see what we might have missed.”

Auditing the code helped increase security of the ad system

As a result of the security audit, the company managed to eliminate multiple issues that allowed malicious actors to abuse the advertising system.

In one example, it was possible to redeem the same ad coupons several times, without an expiration being set. Also, by guessing the Page ID, a malicious actor could get the name of an unpublished Pagethrough the Ads Create Flow.

Another security flaw referred to the possibility to force a victim to send a malicious email on your behalf. This could be achieved by injecting JavaScript into an ads report email and then leveraging a CSRF (cross-site request forgery) bug.

A CSRF attack consists in forcing an authenticated user to execute a command of the attacker’s choosing on a web application. Social engineering is a strong component of the attack, which can end up compromising information of the end user as well as the entire web application.

Researchers have several areas to focus on

“At this stage of our bug bounty program, it's uncommon for us to see many of the common web security bugs like XSS. What we see more often are things like missing or incorrect permissions checks, insufficient rate-limiting that can lead to scraping, edge-case CSRF issues, and problems with SWFs,” Greene says in the Facebook post.

The security engineer also provides a list of sections the bug bounty hunters should focus on in their research. These included the UI, Ads API and analytics. Everything else apart from these can be scrutinized for security glitches, since there is plenty of code available for handling the ads, from targeting and billing to delivering and measuring them.