- A security flaw found in Facebook’s advertising platform has been fixed by Meta
- The researcher who discovered the flaw received a $100,000 bug bounty.
- The flaw allowed the researcher to effectively take control of a Facebook server
Meta awarded cybersecurity researcher Ben Sadeghipour a $100,000 bounty after discovering a security flaw on Facebook’s advertising platform in October 2024.
The flaw allowed Sadeghipour to execute commands on Facebook’s internal server that hosted the platform, giving him control of the server.
According to Sadeghipour, the unfixed bug allowed him to hijack the server using a headless Chrome browser, which is a version of the browser that users run from the computer terminal, to interact directly with the servers Facebook internals.
Part of a broader researcher
The platform flaw was connected to a server used by Facebook to create and serve ads, which was vulnerable to a previously patched flaw found in the Chrome browser, which Facebook uses in its advertising system.
Sadeghipour said TechCrunch Online advertising platforms are attractive targets because “there is so much going on in the background of creating these ‘ads,’ whether they are videos, text, or images.” »
“But at the heart of it all is a bunch of data processed on the server side, which opens the door to a ton of vulnerabilities,” Sadeghipour said.
The researcher confirms that he did not test everything he might have once inside the server, although “what makes this dangerous is that it was probably part of an internal infrastructure” .
After reporting the vulnerability to Meta, fixing the bug took just an hour, Sadeghipour said, noting that his discovery was part of “ongoing research into a specific application with a specific goal.” This particular flaw took him a few hours to identify, but Meta worked with him to quickly fix the bug and offered him a bonus “well beyond” expectations, he confirmed in a LinkedIn post.
Bug bounties have been on the rise recently, with Google significantly increasing its rewards for researchers who participate in the program, making security research more lucrative.
