A total of 17,011 bugs were submitted to Facebook in 2014, up 16 percent from the previous year, and 61 of those bugs were classified as high-severity, up 49 percent from 2013.
Facebook security engineer Collin Greene shared those figures in a note on the Facebook Bug Bounty page, adding that $1.3 million was paid out to 321 researchers from around the world last year, with an average reward of $1,788.
According to Greene, the Facebook Bug Bounty program has distributed a total of more than $3 million since its establishment in 2011.
Greene wrote that rewards were issued in 65 countries in 2014, up 12 percent from 2013, and reports came from 123 countries. The top five countries in 2014 in terms of valid bugs submitted were:
- India: 196 (average reward of $1,343)
- Egypt: 81 ($1,220)
- U.S.: 61 ($2,470)
- U.K.: 28 ($2,768)
- Philippines: 27 ($1,093)
He also spotlighted three of the biggest potential issues that were discovered and dealt with last year:
- Hidden input parameters: There was a bug where the back-end code was receiving multiple values for the same parameter, causing unintended effects downstream. This meant that upon submission, we received two sets of parameters with the same name and differing values (e.g., facebook.com/foo?name=bar&name=baz). In this case, the behavior in both PHP and HHVM (HipHop Virtual Machine) is to use the last value provided — i.e., name would equal “baz.” After we fixed the instance from this report, we also fixed a few other spots and made improvements around duplicate parameters so that issues like this shouldn’t happen again.
- Amazon S3 bucket: A number of Facebook services make some use of Amazon Web Services, Instagram being one of them. Amazon S3 is used for storage and is accessed via S3 buckets, each with a specific hostname (i.e., distilleryimage07.s3.amazonaws.com). The regex that determined if an S3 bucket was legitimate or not had an error — it allowed S3 buckets that Instagram did not control, letting the submitter register buckets like distilleryimage00.s3.amazonaws.com. This is worth calling out because many websites use S3 and might be vulnerable to some variation of this issue.
- Legacy REST API calls: A misconfigured endpoint allowed legacy REST API calls to be made on behalf of any Facebook user using only their user ID, which could be obtained from their profile or through the Graph API.
Finally, Greene provided the following resources for researchers who are interested in submitting bugs:
- Researchers can view the status of their reports and keep track of the progress using our Support Dashboard.
- Commonly reported issues that are ineligible are listed here.
- Example write-ups and tips on submitting great reports are here.
Readers: Are you surprised at the number of bugs Facebook deals with each year?
Image courtesy of Shutterstock.