- Meta fixes a security flaw found in Facebook’s advertising platform
- The researcher who discovered the flaw received a reward of $100,000
- The flaw allowed the researcher to take effective control of a Facebook server
Meta has awarded cybersecurity researcher Ben Sadeghipour a $100,000 bug bounty after he discovered a security vulnerability in Facebook’s advertising platform in October 2024.
The flaw allowed Sadeghipour to execute commands on Facebook’s internal server that hosted the platform, giving him control of the server.
According to Sadeghipour, the unpatched bug allowed him to hijack the server using a headless Chrome browser, which is a version of the browser that users run from the computer’s terminal, to interact directly with Facebook’s internal servers.
Part of a broader researcher.
The platform flaw was connected to a server Facebook used to create and serve ads, which was vulnerable to a previously patched flaw found in the Chrome browser, which Facebook uses in its ad system.
Sadeghipour said TechCrunch Online advertising platforms are attractive targets because “there’s a lot going on in the background of creating these ‘ads,’ whether they’re videos, text, or images.”
“But at the bottom of all this is a lot of data being processed on the server side and this opens the door to a lot of vulnerabilities,” Sadeghipour said.
The researcher confirms that he did not test everything he could have once he was inside the server, although “what makes it dangerous is that it was probably part of an internal infrastructure.”
After reporting the vulnerability to Meta, the bug took just an hour to fix, Sadeghipour said, noting that its discovery was part of an “ongoing investigation into a specific application with a specific purpose.” This particular flaw took him a few hours to identify, but Meta worked with him to quickly fix the bug and offered a reward that “far exceeded” expectations, he confirmed in a LinkedIn post.
Bug bounties have increased recently, and Google has dramatically increased its rewards for researchers participating in the program, so security research is becoming more lucrative.
